<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <title>Web Authentication: An API for accessing Public Key Credentials </title>
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <meta content="WD" name="w3c-status">
  <meta content="Bikeshed version fa6d32dea6b39d19cbb9dd6d5e69f189e8bdd53f" name="generator">
<style>/* style-md-lists */

            /* This is a weird hack for me not yet following the commonmark spec
               regarding paragraph and lists. */
            [data-md] > :first-child {
                margin-top: 0;
            }
            [data-md] > :last-child {
                margin-bottom: 0;
            }</style>
<style>/* style-selflinks */

            .heading, .issue, .note, .example, li, dt {
                position: relative;
            }
            a.self-link {
                position: absolute;
                top: 0;
                left: calc(-1 * (3.5rem - 26px));
                width: calc(3.5rem - 26px);
                height: 2em;
                text-align: center;
                border: none;
                transition: opacity .2s;
                opacity: .5;
            }
            a.self-link:hover {
                opacity: 1;
            }
            .heading > a.self-link {
                font-size: 83%;
            }
            li > a.self-link {
                left: calc(-1 * (3.5rem - 26px) - 2em);
            }
            dfn > a.self-link {
                top: auto;
                left: auto;
                opacity: 0;
                width: 1.5em;
                height: 1.5em;
                background: gray;
                color: white;
                font-style: normal;
                transition: opacity .2s, background-color .2s, color .2s;
            }
            dfn:hover > a.self-link {
                opacity: 1;
            }
            dfn > a.self-link:hover {
                color: black;
            }

            a.self-link::before            { content: "¶"; }
            .heading > a.self-link::before { content: "§"; }
            dfn > a.self-link::before      { content: "#"; }</style>
<style>/* style-counters */

            body {
                counter-reset: example figure issue;
            }
            .issue {
                counter-increment: issue;
            }
            .issue:not(.no-marker)::before {
                content: "Issue " counter(issue);
            }

            .example {
                counter-increment: example;
            }
            .example:not(.no-marker)::before {
                content: "Example " counter(example);
            }
            .invalid.example:not(.no-marker)::before,
            .illegal.example:not(.no-marker)::before {
                content: "Invalid Example" counter(example);
            }

            figcaption {
                counter-increment: figure;
            }
            figcaption:not(.no-marker)::before {
                content: "Figure " counter(figure) " ";
            }</style>
<style>/* style-autolinks */

            .css.css, .property.property, .descriptor.descriptor {
                color: #005a9c;
                font-size: inherit;
                font-family: inherit;
            }
            .css::before, .property::before, .descriptor::before {
                content: "‘";
            }
            .css::after, .property::after, .descriptor::after {
                content: "’";
            }
            .property, .descriptor {
                /* Don't wrap property and descriptor names */
                white-space: nowrap;
            }
            .type { /* CSS value <type> */
                font-style: italic;
            }
            pre .property::before, pre .property::after {
                content: "";
            }
            [data-link-type="property"]::before,
            [data-link-type="propdesc"]::before,
            [data-link-type="descriptor"]::before,
            [data-link-type="value"]::before,
            [data-link-type="function"]::before,
            [data-link-type="at-rule"]::before,
            [data-link-type="selector"]::before,
            [data-link-type="maybe"]::before {
                content: "‘";
            }
            [data-link-type="property"]::after,
            [data-link-type="propdesc"]::after,
            [data-link-type="descriptor"]::after,
            [data-link-type="value"]::after,
            [data-link-type="function"]::after,
            [data-link-type="at-rule"]::after,
            [data-link-type="selector"]::after,
            [data-link-type="maybe"]::after {
                content: "’";
            }

            [data-link-type].production::before,
            [data-link-type].production::after,
            .prod [data-link-type]::before,
            .prod [data-link-type]::after {
                content: "";
            }

            [data-link-type=element],
            [data-link-type=element-attr] {
                font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
                font-size: .9em;
            }
            [data-link-type=element]::before { content: "<" }
            [data-link-type=element]::after  { content: ">" }

            [data-link-type=biblio] {
                white-space: pre;
            }</style>
<style>/* style-dfn-panel */

        .dfn-panel {
            position: absolute;
            z-index: 35;
            height: auto;
            width: -webkit-fit-content;
            width: fit-content;
            max-width: 300px;
            max-height: 500px;
            overflow: auto;
            padding: 0.5em 0.75em;
            font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
            background: #DDDDDD;
            color: black;
            border: outset 0.2em;
        }
        .dfn-panel:not(.on) { display: none; }
        .dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
        .dfn-panel > b { display: block; }
        .dfn-panel a { color: black; }
        .dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
        .dfn-panel > b + b { margin-top: 0.25em; }
        .dfn-panel ul { padding: 0; }
        .dfn-panel li { list-style: inside; }
        .dfn-panel.activated {
            display: inline-block;
            position: fixed;
            left: .5em;
            bottom: 2em;
            margin: 0 auto;
            max-width: calc(100vw - 1.5em - .4em - .5em);
            max-height: 30vh;
        }

        .dfn-paneled { cursor: pointer; }
        </style>
<style>/* style-syntax-highlighting */
pre.idl.highlight { color: #708090; }
        .highlight:not(.idl) { background: hsl(24, 20%, 95%); }
        code.highlight { padding: .1em; border-radius: .3em; }
        pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }
        .highlight .c { color: #708090 } /* Comment */
        .highlight .k { color: #990055 } /* Keyword */
        .highlight .l { color: #000000 } /* Literal */
        .highlight .n { color: #0077aa } /* Name */
        .highlight .o { color: #999999 } /* Operator */
        .highlight .p { color: #999999 } /* Punctuation */
        .highlight .cm { color: #708090 } /* Comment.Multiline */
        .highlight .cp { color: #708090 } /* Comment.Preproc */
        .highlight .c1 { color: #708090 } /* Comment.Single */
        .highlight .cs { color: #708090 } /* Comment.Special */
        .highlight .kc { color: #990055 } /* Keyword.Constant */
        .highlight .kd { color: #990055 } /* Keyword.Declaration */
        .highlight .kn { color: #990055 } /* Keyword.Namespace */
        .highlight .kp { color: #990055 } /* Keyword.Pseudo */
        .highlight .kr { color: #990055 } /* Keyword.Reserved */
        .highlight .kt { color: #990055 } /* Keyword.Type */
        .highlight .ld { color: #000000 } /* Literal.Date */
        .highlight .m { color: #000000 } /* Literal.Number */
        .highlight .s { color: #a67f59 } /* Literal.String */
        .highlight .na { color: #0077aa } /* Name.Attribute */
        .highlight .nc { color: #0077aa } /* Name.Class */
        .highlight .no { color: #0077aa } /* Name.Constant */
        .highlight .nd { color: #0077aa } /* Name.Decorator */
        .highlight .ni { color: #0077aa } /* Name.Entity */
        .highlight .ne { color: #0077aa } /* Name.Exception */
        .highlight .nf { color: #0077aa } /* Name.Function */
        .highlight .nl { color: #0077aa } /* Name.Label */
        .highlight .nn { color: #0077aa } /* Name.Namespace */
        .highlight .py { color: #0077aa } /* Name.Property */
        .highlight .nt { color: #669900 } /* Name.Tag */
        .highlight .nv { color: #222222 } /* Name.Variable */
        .highlight .ow { color: #999999 } /* Operator.Word */
        .highlight .mb { color: #000000 } /* Literal.Number.Bin */
        .highlight .mf { color: #000000 } /* Literal.Number.Float */
        .highlight .mh { color: #000000 } /* Literal.Number.Hex */
        .highlight .mi { color: #000000 } /* Literal.Number.Integer */
        .highlight .mo { color: #000000 } /* Literal.Number.Oct */
        .highlight .sb { color: #a67f59 } /* Literal.String.Backtick */
        .highlight .sc { color: #a67f59 } /* Literal.String.Char */
        .highlight .sd { color: #a67f59 } /* Literal.String.Doc */
        .highlight .s2 { color: #a67f59 } /* Literal.String.Double */
        .highlight .se { color: #a67f59 } /* Literal.String.Escape */
        .highlight .sh { color: #a67f59 } /* Literal.String.Heredoc */
        .highlight .si { color: #a67f59 } /* Literal.String.Interpol */
        .highlight .sx { color: #a67f59 } /* Literal.String.Other */
        .highlight .sr { color: #a67f59 } /* Literal.String.Regex */
        .highlight .s1 { color: #a67f59 } /* Literal.String.Single */
        .highlight .ss { color: #a67f59 } /* Literal.String.Symbol */
        .highlight .vc { color: #0077aa } /* Name.Variable.Class */
        .highlight .vg { color: #0077aa } /* Name.Variable.Global */
        .highlight .vi { color: #0077aa } /* Name.Variable.Instance */
        .highlight .il { color: #000000 } /* Literal.Number.Integer.Long */
        </style>
  <link href="https://www.w3.org/StyleSheets/TR/2016/W3C-WD" rel="stylesheet" type="text/css">
 <body class="h-entry">
  <div class="head">
   <header>
    <p data-fill-with="logo"><a href="https://www.w3.org/"><img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"></a> </p>
    <h1 class="p-name no-ref" id="title">Web Authentication: An API for accessing Public Key Credentials </h1>
    <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">W3C Working Draft, <time class="dt-updated" datetime="2017-05-05">5 May 2017</time></span></h2>
   </header>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://www.w3.org/TR/2017/WD-webauthn-20170505/">https://www.w3.org/TR/2017/WD-webauthn-20170505/</a>
     <dt>Latest published version:
     <dd><a href="https://www.w3.org/TR/webauthn/">https://www.w3.org/TR/webauthn/</a>
     <dt>Editor's Draft:
     <dd><a href="https://w3c.github.io/webauthn/">https://w3c.github.io/webauthn/</a>
     <dt>Previous Versions:
     <dd><a href="https://www.w3.org/TR/2017/WD-webauthn-20170216/" rel="previous">https://www.w3.org/TR/2017/WD-webauthn-20170216/</a>
     <dd><a href="https://www.w3.org/TR/2016/WD-webauthn-20161207/" rel="previous">https://www.w3.org/TR/2016/WD-webauthn-20161207/</a>
     <dd><a href="https://www.w3.org/TR/2016/WD-webauthn-20160928/" rel="previous">https://www.w3.org/TR/2016/WD-webauthn-20160928/</a>
     <dd><a href="https://www.w3.org/TR/2016/WD-webauthn-20160902/" rel="previous">https://www.w3.org/TR/2016/WD-webauthn-20160902/</a>
     <dd><a href="https://www.w3.org/TR/2016/WD-webauthn-20160531/" rel="previous">https://www.w3.org/TR/2016/WD-webauthn-20160531/</a>
     <dt>Issue Tracking:
     <dd><a href="https://github.com/w3c/webauthn/issues">Github</a>
     <dt class="editor">Editors:
     <dd class="editor p-author h-card vcard" data-editor-id="55440"><a class="p-name fn u-email email" href="mailto:vijay.bharadwaj@microsoft.com">Vijay Bharadwaj</a> (<span class="p-org org">Microsoft</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="84817"><a class="p-name fn u-email email" href="mailto:hlevangong@paypal.com">Hubert Le Van Gong</a> (<span class="p-org org">PayPal</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="47648"><a class="p-name fn u-email email" href="mailto:balfanz@google.com">Dirk Balfanz</a> (<span class="p-org org">Google</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="87258"><a class="p-name fn u-email email" href="mailto:aczeskis@google.com">Alexei Czeskis</a> (<span class="p-org org">Google</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="87332"><a class="p-name fn u-email email" href="mailto:arnarb@google.com">Arnar Birgisson</a> (<span class="p-org org">Google</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="43843"><a class="p-name fn u-email email" href="mailto:Jeff.Hodges@paypal.com">Jeff Hodges</a> (<span class="p-org org">PayPal</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="38745"><a class="p-name fn u-email email" href="mailto:mbj@microsoft.com">Michael B. Jones</a> (<span class="p-org org">Microsoft</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="84447"><a class="p-name fn u-email email" href="mailto:rolf@noknok.com">Rolf Lindemann</a> (<span class="p-org org">Nok Nok Labs</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="87240"><a class="p-name fn u-email email" href="mailto:jc@mozilla.com">J.C. Jones</a> (<span class="p-org org">Mozilla</span>)
     <dt>Tests:
     <dd><span><a href="https://github.com/w3c/web-platform-tests/tree/master/webauthn">web-platform-tests webauthn/</a> (<a href="https://github.com/w3c/web-platform-tests/labels/webauthn">ongoing work</a>)</span>
    </dl>
   </div>
   <div data-fill-with="warning"></div>
   <p class="copyright" data-fill-with="copyright"><a href="https://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2017 <a href="https://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="http://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="http://www.keio.ac.jp/">Keio</a>, <a href="http://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="https://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="https://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="https://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
   <hr title="Separator for header">
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
  <div class="p-summary" data-fill-with="abstract">
   <p>This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based

credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more credentials, each
scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web
application. The user agent mediates access to <a data-link-type="dfn" href="#public-key-credential">public key credentials</a> in order to preserve user privacy. <a data-link-type="dfn" href="#authenticator">Authenticators</a> are responsible for ensuring that no operation is performed without <a data-link-type="dfn" href="#user-consent">user consent</a>. <a data-link-type="dfn" href="#authenticator">Authenticators</a> provide cryptographic
proof of their properties to relying parties via <a data-link-type="dfn" href="#attestation">attestation</a>. This specification also describes the functional model for
WebAuthn conformant authenticators, including their signature and attestation functionality.</p>
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
  <div data-fill-with="status">
   <p> <em>This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the <a href="https://www.w3.org/TR/">W3C technical reports index</a> at https://www.w3.org/TR/.</em> </p>
   <p> This document was published by the <a href="https://www.w3.org/webauthn/">Web Authentication Working Group</a> as a Working Draft. This document is intended to become a W3C Recommendation.

    Feedback and comments on this specification are welcome. Please use <a href="https://github.com/w3c/webauthn/issues">Github issues</a>.
    Discussions may also be found in the <a href="https://lists.w3.org/Archives/Public/public-webauthn/">public-webauthn@w3.org archives</a>. </p>
   <p> Publication as a Working Draft does not imply endorsement by the <abbr title="World Wide Web Consortium">W3C</abbr> Membership. This is a draft document and may
    be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite
    this document as other than work in progress. </p>
   <p> This document was produced by a group operating under the <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 <abbr title="World Wide Web Consortium">W3C</abbr> Patent Policy</a>. <abbr title="World Wide Web Consortium">W3C</abbr> maintains a <a href="https://www.w3.org/2004/01/pp-impl/87227/status" rel="disclosure">public list of any
    patent disclosures</a> made in connection with the deliverables of the group; that page also
    includes instructions for disclosing a patent. An individual who has actual knowledge of a
    patent which the individual believes contains <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential
    Claim(s)</a> must disclose the information in accordance with <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the <abbr title="World Wide Web Consortium">W3C</abbr> Patent Policy</a>. </p>
   <p> This document is governed by the <a href="https://www.w3.org/2017/Process-20170301/" id="w3c_process_revision">1 March 2017
    W3C Process Document</a>. </p>
   <p></p>
  </div>
  <div data-fill-with="at-risk"></div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li>
     <a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
     <ol class="toc">
      <li>
       <a href="#use-cases"><span class="secno">1.1</span> <span class="content">Use Cases</span></a>
       <ol class="toc">
        <li><a href="#usecase-registration"><span class="secno">1.1.1</span> <span class="content">Registration</span></a>
        <li><a href="#usecase-authentication"><span class="secno">1.1.2</span> <span class="content">Authentication</span></a>
        <li><a href="#other-configurations"><span class="secno">1.1.3</span> <span class="content">Other use cases and configurations</span></a>
       </ol>
     </ol>
    <li>
     <a href="#conformance"><span class="secno">2</span> <span class="content">Conformance</span></a>
     <ol class="toc">
      <li><a href="#dependencies"><span class="secno">2.1</span> <span class="content">Dependencies</span></a>
     </ol>
    <li><a href="#terminology"><span class="secno">3</span> <span class="content">Terminology</span></a>
    <li>
     <a href="#api"><span class="secno">4</span> <span class="content"><span>Web Authentication API</span></span></a>
     <ol class="toc">
      <li>
       <a href="#iface-pkcredential"><span class="secno">4.1</span> <span class="content"><span>PublicKeyCredential</span> Interface</span></a>
       <ol class="toc">
        <li><a href="#credentialrequestoptions-extension"><span class="secno">4.1.1</span> <span class="content"><code>CredentialRequestOptions</code> Extension</span></a>
        <li><a href="#credentialcreationoptions-extension"><span class="secno">4.1.2</span> <span class="content"><code>CredentialCreationOptions</code> Extension</span></a>
        <li><a href="#createCredential"><span class="secno">4.1.3</span> <span class="content">Create a new credential - PublicKeyCredential’s <code>\[[Create]](options)</code> method</span></a>
        <li><a href="#getAssertion"><span class="secno">4.1.4</span> <span class="content">Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</span></a>
       </ol>
      <li>
       <a href="#iface-authenticatorresponse"><span class="secno">4.2</span> <span class="content">Authenticator Responses (interface <span>AuthenticatorResponse</span>)</span></a>
       <ol class="toc">
        <li><a href="#iface-authenticatorattestationresponse"><span class="secno">4.2.1</span> <span class="content">Information about Public Key Credential (interface <span>AuthenticatorAttestationResponse</span>)</span></a>
        <li><a href="#iface-authenticatorassertionresponse"><span class="secno">4.2.2</span> <span class="content">Web Authentication Assertion (interface <span>AuthenticatorAssertionResponse</span>)</span></a>
       </ol>
      <li><a href="#credential-params"><span class="secno">4.3</span> <span class="content">Parameters for Credential Generation (dictionary <span>PublicKeyCredentialParameters</span>)</span></a>
      <li><a href="#sctn-user-credential-params"><span class="secno">4.4</span> <span class="content">User Account Parameters for Credential Generation (dictionary <span>PublicKeyCredentialUserEntity</span>)</span></a>
      <li>
       <a href="#dictionary-makecredentialoptions"><span class="secno">4.5</span> <span class="content">Options for Credential Creation (dictionary <span>MakeCredentialOptions</span>)</span></a>
       <ol class="toc">
        <li><a href="#dictionary-pkcredentialentity"><span class="secno">4.5.1</span> <span class="content">Entity Description</span></a>
        <li><a href="#authenticatorSelection"><span class="secno">4.5.2</span> <span class="content">Authenticator Selection Criteria</span></a>
        <li><a href="#attachment"><span class="secno">4.5.3</span> <span class="content">Credential Attachment enumeration (enum <span>Attachment</span>)</span></a>
       </ol>
      <li><a href="#assertion-options"><span class="secno">4.6</span> <span class="content">Options for Assertion Generation (dictionary <span>PublicKeyCredentialRequestOptions</span>)</span></a>
      <li><a href="#iface-authentication-extensions"><span class="secno">4.7</span> <span class="content">Authentication Extensions (typedef <span>AuthenticationExtensions</span>)</span></a>
      <li>
       <a href="#supporting-data-structures"><span class="secno">4.8</span> <span class="content">Supporting Data Structures</span></a>
       <ol class="toc">
        <li><a href="#sec-client-data"><span class="secno">4.8.1</span> <span class="content">Client data used in WebAuthn signatures (dictionary <span>CollectedClientData</span>)</span></a>
        <li><a href="#credentialType"><span class="secno">4.8.2</span> <span class="content">Credential Type enumeration (enum <span>PublicKeyCredentialType</span>)</span></a>
        <li><a href="#credential-dictionary"><span class="secno">4.8.3</span> <span class="content">Credential Descriptor (dictionary <span>PublicKeyCredentialDescriptor</span>)</span></a>
        <li><a href="#transport"><span class="secno">4.8.4</span> <span class="content">Credential Transport enumeration (enum <span>ExternalTransport</span>)</span></a>
        <li><a href="#alg-identifier"><span class="secno">4.8.5</span> <span class="content">Cryptographic Algorithm Identifier (type <code class="idl"><span>AlgorithmIdentifier</span></code>)</span></a>
       </ol>
     </ol>
    <li>
     <a href="#authenticator-model"><span class="secno">5</span> <span class="content">WebAuthn Authenticator model</span></a>
     <ol class="toc">
      <li><a href="#sec-authenticator-data"><span class="secno">5.1</span> <span class="content">Authenticator data</span></a>
      <li>
       <a href="#authenticator-ops"><span class="secno">5.2</span> <span class="content">Authenticator operations</span></a>
       <ol class="toc">
        <li><a href="#op-make-cred"><span class="secno">5.2.1</span> <span class="content">The <span>authenticatorMakeCredential</span> operation</span></a>
        <li><a href="#op-get-assertion"><span class="secno">5.2.2</span> <span class="content">The <span>authenticatorGetAssertion</span> operation</span></a>
        <li><a href="#op-cancel"><span class="secno">5.2.3</span> <span class="content">The <span>authenticatorCancel</span> operation</span></a>
       </ol>
      <li>
       <a href="#cred-attestation"><span class="secno">5.3</span> <span class="content">Credential Attestation</span></a>
       <ol class="toc">
        <li><a href="#sec-attestation-data"><span class="secno">5.3.1</span> <span class="content">Attestation data</span></a>
        <li><a href="#attestation-formats"><span class="secno">5.3.2</span> <span class="content">Attestation Statement Formats</span></a>
        <li><a href="#sctn-attestation-types"><span class="secno">5.3.3</span> <span class="content">Attestation Types</span></a>
        <li><a href="#generating-an-attestation-object"><span class="secno">5.3.4</span> <span class="content">Generating an Attestation Object</span></a>
        <li>
         <a href="#sec-attestation-security-considerations"><span class="secno">5.3.5</span> <span class="content">Security Considerations</span></a>
         <ol class="toc">
          <li><a href="#sec-attestation-privacy"><span class="secno">5.3.5.1</span> <span class="content">Privacy</span></a>
          <li><a href="#ca-compromise"><span class="secno">5.3.5.2</span> <span class="content">Attestation Certificate and Attestation Certificate CA Compromise</span></a>
          <li><a href="#cert-hierarchy"><span class="secno">5.3.5.3</span> <span class="content">Attestation Certificate Hierarchy</span></a>
         </ol>
       </ol>
     </ol>
    <li>
     <a href="#rp-operations"><span class="secno">6</span> <span class="content"><span>Relying Party</span> Operations</span></a>
     <ol class="toc">
      <li><a href="#registering-a-new-credential"><span class="secno">6.1</span> <span class="content">Registering a new credential</span></a>
      <li><a href="#verifying-assertion"><span class="secno">6.2</span> <span class="content">Verifying an authentication assertion</span></a>
     </ol>
    <li>
     <a href="#defined-attestation-formats"><span class="secno">7</span> <span class="content">Defined Attestation Statement Formats</span></a>
     <ol class="toc">
      <li><a href="#sctn-attstn-fmt-ids"><span class="secno">7.1</span> <span class="content">Attestation Statement Format Identifiers</span></a>
      <li>
       <a href="#packed-attestation"><span class="secno">7.2</span> <span class="content">Packed Attestation Statement Format</span></a>
       <ol class="toc">
        <li><a href="#packed-attestation-cert-requirements"><span class="secno">7.2.1</span> <span class="content">Packed attestation statement certificate requirements</span></a>
       </ol>
      <li>
       <a href="#tpm-attestation"><span class="secno">7.3</span> <span class="content">TPM Attestation Statement Format</span></a>
       <ol class="toc">
        <li><a href="#tpm-cert-requirements"><span class="secno">7.3.1</span> <span class="content">TPM attestation statement certificate requirements</span></a>
       </ol>
      <li><a href="#android-key-attestation"><span class="secno">7.4</span> <span class="content">Android Key Attestation Statement Format</span></a>
      <li><a href="#android-safetynet-attestation"><span class="secno">7.5</span> <span class="content">Android SafetyNet Attestation Statement Format</span></a>
      <li><a href="#fido-u2f-attestation"><span class="secno">7.6</span> <span class="content">FIDO U2F Attestation Statement Format</span></a>
     </ol>
    <li>
     <a href="#extensions"><span class="secno">8</span> <span class="content">WebAuthn Extensions</span></a>
     <ol class="toc">
      <li><a href="#sctn-extension-id"><span class="secno">8.1</span> <span class="content">Extension Identifiers</span></a>
      <li><a href="#sctn-extension-specification"><span class="secno">8.2</span> <span class="content">Defining extensions</span></a>
      <li><a href="#sctn-extension-request-parameters"><span class="secno">8.3</span> <span class="content">Extending request parameters</span></a>
      <li><a href="#sctn-client-extension-processing"><span class="secno">8.4</span> <span class="content"><span>Client extension processing</span></span></a>
      <li><a href="#sctn-authenticator-extension-processing"><span class="secno">8.5</span> <span class="content"><span>Authenticator extension processing</span></span></a>
      <li><a href="#sctn-example-extension"><span class="secno">8.6</span> <span class="content">Example Extension</span></a>
     </ol>
    <li>
     <a href="#sctn-defined-extensions"><span class="secno">9</span> <span class="content">Defined Extensions</span></a>
     <ol class="toc">
      <li><a href="#sctn-appid-extension"><span class="secno">9.1</span> <span class="content">FIDO AppId Extension (appid)</span></a>
      <li><a href="#sctn-simple-txauth-extension"><span class="secno">9.2</span> <span class="content">Simple Transaction Authorization Extension (txAuthSimple)</span></a>
      <li><a href="#sctn-generic-txauth-extension"><span class="secno">9.3</span> <span class="content">Generic Transaction Authorization Extension (txAuthGeneric)</span></a>
      <li><a href="#sctn-authenticator-selection-extension"><span class="secno">9.4</span> <span class="content">Authenticator Selection Extension (authnSel)</span></a>
      <li><a href="#sctn-supported-extensions-extension"><span class="secno">9.5</span> <span class="content">Supported Extensions Extension (exts)</span></a>
      <li><a href="#sctn-uvi-extension"><span class="secno">9.6</span> <span class="content">User Verification Index Extension (uvi)</span></a>
      <li><a href="#sctn-location-extension"><span class="secno">9.7</span> <span class="content">Location Extension (loc)</span></a>
      <li><a href="#sctn-uvm-extension"><span class="secno">9.8</span> <span class="content">User Verification Method Extension (uvm)</span></a>
     </ol>
    <li>
     <a href="#sctn-IANA"><span class="secno">10</span> <span class="content">IANA Considerations</span></a>
     <ol class="toc">
      <li><a href="#sctn-att-fmt-reg"><span class="secno">10.1</span> <span class="content">WebAuthn Attestation Statement Format Identifier Registrations</span></a>
      <li><a href="#sctn-extensions-reg"><span class="secno">10.2</span> <span class="content">WebAuthn Extension Identifier Registrations</span></a>
     </ol>
    <li>
     <a href="#sample-scenarios"><span class="secno">11</span> <span class="content">Sample scenarios</span></a>
     <ol class="toc">
      <li><a href="#sample-registration"><span class="secno">11.1</span> <span class="content">Registration</span></a>
      <li><a href="#sample-authentication"><span class="secno">11.2</span> <span class="content">Authentication</span></a>
      <li><a href="#sample-decommissioning"><span class="secno">11.3</span> <span class="content">Decommissioning</span></a>
     </ol>
    <li><a href="#acknowledgements"><span class="secno">12</span> <span class="content">Acknowledgements</span></a>
    <li>
     <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ol class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ol>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
    <li><a href="#idl-index"><span class="secno"></span> <span class="content">IDL Index</span></a>
   </ol>
  </nav>
  <main>
   <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>
   <p><em>This section is not normative.</em></p>
   <p>This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based
credentials by web applications, for the purpose of strongly authenticating users. A <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-1">public key credential</a> is
created and stored by an <em><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-1">authenticator</a></em> at the behest of a <em><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-1">Relying Party</a></em>, subject to <em><a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent-1">user
consent</a></em>. Subsequently, the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-2">public key credential</a> can only be accessed by <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origins</a> belonging to that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-2">Relying Party</a>.
This scoping is enforced jointly by <em><a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent-1">conforming User Agents</a></em> and <em><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-2">authenticators</a></em>.
Additionally, privacy across <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-3">Relying Parties</a> is maintained; Relying Parties are not able to detect any properties, or even
the existence, of credentials scoped to other Relying Parties.</p>
   <p>Relying Parties employ the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api-1">Web Authentication API</a> during two distinct, but related, <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-1">ceremonies</a> involving a user. The first
is <a data-link-type="dfn" href="#registration" id="ref-for-registration-1">Registration</a>, where a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-3">public key credential</a> is created on an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-3">authenticator</a>, and associated by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-4">Relying Party</a> with the present user’s account (the account may already exist or may be created at this time). The second is <a data-link-type="dfn" href="#authentication" id="ref-for-authentication-1">Authentication</a>, where the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-5">Relying Party</a> is presented with an <em><a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion-1">Authentication Assertion</a></em> proving the presence
and consent of the user who registered the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-4">public key credential</a>. Functionally, the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api-2">Web Authentication API</a> comprises
a <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-1">PublicKeyCredential</a></code> which extends the Credential Management API <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a>, and infrastructure which
allows those credentials to be used with <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">navigator.credentials.create()</a></code> and <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">navigator.credentials.get()</a></code>. The former is used during <a data-link-type="dfn" href="#registration" id="ref-for-registration-2">Registration</a>, and the
latter during <a data-link-type="dfn" href="#authentication" id="ref-for-authentication-2">Authentication</a>.</p>
   <p>Broadly, compliant <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-4">authenticators</a> protect <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-5">public key credentials</a>, and interact with user agents to implement the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api-3">Web Authentication API</a>. Some authenticators may run on the same computing device (e.g., smart phone, tablet, desktop PC) as
the user agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet,
a Trusted Platform Module (TPM), or a Secure Element (SE) integrated into the computing device in conjunction with some means
for <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-1">user verification</a>, along with appropriate platform software to mediate access to these components' functionality. Other
authenticators may operate autonomously from the computing device running the user agent, and be accessed over a transport such
as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).</p>
   <h3 class="heading settled" data-level="1.1" id="use-cases"><span class="secno">1.1. </span><span class="content">Use Cases</span><a class="self-link" href="#use-cases"></a></h3>
   <p>The below use case scenarios illustrate use of two very different types of <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-5">authenticators</a>, as well as outline further
scenarios. Additional scenarios, including sample code, are given later in <a href="#sample-scenarios">§11 Sample scenarios</a>.</p>
   <h4 class="heading settled" data-level="1.1.1" id="usecase-registration"><span class="secno">1.1.1. </span><span class="content">Registration</span><a class="self-link" href="#usecase-registration"></a></h4>
   <ul>
    <li data-md="">
     <p>On a phone:</p>
     <ul>
      <li data-md="">
       <p>User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using
(possibly a legacy method such as a password), or creates a new account.</p>
      <li data-md="">
       <p>The phone prompts, "Do you want to register this device with example.com?"</p>
      <li data-md="">
       <p>User agrees.</p>
      <li data-md="">
       <p>The phone prompts the user for a previously configured <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture-1">authorization gesture</a> (PIN, biometric, etc.); the user
provides this.</p>
      <li data-md="">
       <p>Website shows message, "Registration complete."</p>
     </ul>
   </ul>
   <h4 class="heading settled" data-level="1.1.2" id="usecase-authentication"><span class="secno">1.1.2. </span><span class="content">Authentication</span><a class="self-link" href="#usecase-authentication"></a></h4>
   <ul>
    <li data-md="">
     <p>On a laptop or desktop:</p>
     <ul>
      <li data-md="">
       <p>User navigates to example.com in a browser, sees an option to "Sign in with your phone."</p>
      <li data-md="">
       <p>User chooses this option and gets a message from the browser, "Please complete this action on your phone."</p>
     </ul>
    <li data-md="">
     <p>Next, on their phone:</p>
     <ul>
      <li data-md="">
       <p>User sees a discrete prompt or notification, "Sign in to example.com."</p>
      <li data-md="">
       <p>User selects this prompt / notification.</p>
      <li data-md="">
       <p>User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."</p>
      <li data-md="">
       <p>User picks an identity, is prompted for an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture-2">authorization gesture</a> (PIN, biometric, etc.) and provides this.</p>
     </ul>
    <li data-md="">
     <p>Now, back on the laptop:</p>
     <ul>
      <li data-md="">
       <p>Web page shows that the selected user is signed-in, and navigates to the signed-in page.</p>
     </ul>
   </ul>
   <h4 class="heading settled" data-level="1.1.3" id="other-configurations"><span class="secno">1.1.3. </span><span class="content">Other use cases and configurations</span><a class="self-link" href="#other-configurations"></a></h4>
   <p>A variety of additional use cases and configurations are also possible, including (but not limited to):</p>
   <ul>
    <li data-md="">
     <p>A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.</p>
    <li data-md="">
     <p>A user obtains an discrete, <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators-1">roaming authenticator</a>, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads
example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the
fob.</p>
    <li data-md="">
     <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-6">Relying Party</a> prompts the user for their <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture-3">authorization gesture</a> in order to authorize a single transaction, such as a payment
or other financial transaction.</p>
   </ul>
   <h2 class="heading settled" data-level="2" id="conformance"><span class="secno">2. </span><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>
   <p>This specification defines criteria for a <a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent-2">Conforming User Agent</a>: A User Agent MUST behave as described in this
specification in order to be considered conformant. <a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent-3">Conforming User Agents</a> MAY implement algorithms given in this
specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the
specification’s algorithms. A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this
specification, as described in the “Web IDL” specification. <a data-link-type="biblio" href="#biblio-webidl-1">[WebIDL-1]</a></p>
   <p>This specification also defines a model of a conformant <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-6">authenticator</a> (see <a href="#authenticator-model">§5 WebAuthn Authenticator model</a>). This is a set of
functional and security requirements for an authenticator to be usable by a <a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent-4">Conforming User Agent</a>. As described in <a href="#use-cases">§1.1 Use Cases</a>, an authenticator may be implemented in the operating system underlying the User Agent, or in external hardware,
or a combination of both.</p>
   <h3 class="heading settled" data-level="2.1" id="dependencies"><span class="secno">2.1. </span><span class="content">Dependencies</span><a class="self-link" href="#dependencies"></a></h3>
   <p>This specification relies on several other underlying specifications, listed
below and in <a href="#index-defined-elsewhere">Terms defined by reference</a>.</p>
   <dl>
    <dt data-md="">Base64url encoding
    <dd data-md="">
     <p>The term <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="base64url-encoding">Base64url Encoding</dfn> refers to the base64 encoding using the URL- and filename-safe character set defined
in Section 5 of <a data-link-type="biblio" href="#biblio-rfc4648">[RFC4648]</a>, with all trailing '=' characters omitted (as permitted by Section 3.2) and without the
inclusion of any line breaks, whitespace, or other additional characters.</p>
    <dt data-md="">CBOR
    <dd data-md="">
     <p>A number of structures in this specification, including attestation statements and extensions, are encoded using the Compact
Binary Object Representation (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="cbor">CBOR</dfn>) <a data-link-type="biblio" href="#biblio-rfc7049">[RFC7049]</a>.</p>
    <dt data-md="">CDDL
    <dd data-md="">
     <p>This specification describes the syntax of all CBOR-encoded data using the CBOR Data Definition Language (CDDL) <a data-link-type="biblio" href="#biblio-cddl">[CDDL]</a>.</p>
    <dt data-md="">Credential Management
    <dd data-md="">
     <p>The API described in this document is an extension of the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential">Credential</a></code> concept defined in <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a>.</p>
    <dt data-md="">DOM
    <dd data-md="">
     <p><code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> and the DOMException values used in this specification are defined in <a data-link-type="biblio" href="#biblio-dom4">[DOM4]</a>.</p>
    <dt data-md="">ECMAScript
    <dd data-md="">
     <p><a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">%ArrayBuffer%</a> is defined in <a data-link-type="biblio" href="#biblio-ecmascript">[ECMAScript]</a>.</p>
    <dt data-md="">HTML
    <dd data-md="">
     <p>The concepts of <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">relevant settings object</a>, <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a>, <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#opaque-origin">opaque origin</a>, and <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to">is a registrable domain suffix of or is equal to</a> are defined in <a data-link-type="biblio" href="#biblio-html52">[HTML52]</a>.</p>
    <dt data-md="">Web Cryptography API
    <dd data-md="">
     <p>The <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/WebCryptoAPI/#dfn-AlgorithmIdentifierS">AlgorithmIdentifier</a></code> type and the method for <a data-link-type="dfn" href="https://www.w3.org/TR/WebCryptoAPI/#dfn-normalize-an-algorithm">normalizing an algorithm</a> are defined in <a href="https://www.w3.org/TR/WebCryptoAPI/#algorithm-dictionary">Web Cryptography API §algorithm-dictionary</a>.</p>
    <dt data-md="">Web IDL
    <dd data-md="">
     <p>Many of the interface definitions and all of the IDL in this specification depend on <a data-link-type="biblio" href="#biblio-webidl-1">[WebIDL-1]</a>. This updated version of
the Web IDL standard adds support for <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-promise">Promise</a></code>s, which are now the preferred mechanism for asynchronous
interaction in all new web APIs.</p>
   </dl>
   <p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
"OPTIONAL" in this document are to be interpreted as described in <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a>.</p>
   <h2 class="heading settled" data-level="3" id="terminology"><span class="secno">3. </span><span class="content">Terminology</span><a class="self-link" href="#terminology"></a></h2>
   <dl>
    <dt data-md=""><dfn data-dfn-type="dfn" data-noexport="" id="assertion">Assertion<a class="self-link" href="#assertion"></a></dfn>
    <dd data-md="">
     <p>See <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion-2">Authentication Assertion</a>.</p>
    <dt data-md=""><dfn data-dfn-type="dfn" data-noexport="" id="attestation">Attestation<a class="self-link" href="#attestation"></a></dfn>
    <dd data-md="">
     <p>Generally, a statement that serves to bear witness, confirm, or authenticate.
In the WebAuthn context, attestation is employed to attest to the provenance of an authenticator and the data it emits;
including, for example: credential IDs, credential key pairs, signature counters, etc. <dfn data-dfn-type="dfn" data-noexport="" id="attestation-information">Attestation information<a class="self-link" href="#attestation-information"></a></dfn> is
conveyed in <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="attestation-objects">attestation objects</dfn>.
See also <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format-1">attestation statement format</a>, and <a data-link-type="dfn" href="#attestation-type" id="ref-for-attestation-type-1">attestation type</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="attestation-certificate">Attestation Certificate</dfn>
    <dd data-md="">
     <p>A X.509 Certificate for the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="attestation-key-pair">attestation key pair</dfn> used by an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-7">authenticator</a> to attest to its manufacture
and capabilities. At <a data-link-type="dfn" href="#registration" id="ref-for-registration-3">registration</a> time, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-8">authenticator</a> uses the <dfn data-dfn-type="dfn" data-noexport="" id="attestation-private-key">attestation private key<a class="self-link" href="#attestation-private-key"></a></dfn> to sign
the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-7">Relying Party</a>-specific <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key-1">credential public key</a> (and additional data) that it generates and returns via the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential-1">authenticatorMakeCredential</a> operation. Relying Parties use the <dfn data-dfn-type="dfn" data-noexport="" id="attestation-public-key">attestation public key<a class="self-link" href="#attestation-public-key"></a></dfn> conveyed in the <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate-1">attestation
certificate</a> to verify the attestation signature. Note that in the case of <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation-1">self attestation</a>, the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-9">authenticator</a> has no distinct <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair-1">attestation key pair</a> nor <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate-2">attestation certificate</a>, see <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation-2">self
attestation</a> for details.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authentication">Authentication</dfn>
    <dd data-md="">
     <p>The <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-2">ceremony</a> where a user, and the user’s computing device(s) (containing at least one <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-10">authenticator</a>) work in
concert to cryptographically prove to an <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-8">Relying Party</a> that the user controls the private key associated with a
previously-registered <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-6">public key credential</a> (see <a data-link-type="dfn" href="#registration" id="ref-for-registration-4">Registration</a>). Note that this includes employing <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-2">user
verification</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authentication-assertion">Authentication Assertion</dfn>
    <dd data-md="">
     <p>The cryptographically signed <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse-1">AuthenticatorAssertionResponse</a></code> object returned by an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-11">authenticator</a> as the result of a <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-1">authenticatorGetAssertion</a> operation.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticator">Authenticator</dfn>
    <dd data-md="">
     <p>A cryptographic device used by a <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client-1">WebAuthn Client</a> to (i) generate a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-7">public key credential</a> and register it with a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-9">Relying Party</a>,
and (ii) subsequently used to cryptographically sign and return, in the form of an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion-3">Authentication Assertion</a>, a
challenge and other data presented by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-10">Relying Party</a> (in concert with the <a data-link-type="dfn" href="#webauthn-client" id="ref-for-webauthn-client-2">WebAuthn Client</a>) in order to effect <a data-link-type="dfn" href="#authentication" id="ref-for-authentication-3">authentication</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authorization-gesture">Authorization Gesture</dfn>
    <dd data-md="">
     <p>An <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture-4">authorization gesture</a> is a physical interaction performed by a user with an authenticator as part of a <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-3">ceremony</a>,
such as <a data-link-type="dfn" href="#registration" id="ref-for-registration-5">registration</a> or <a data-link-type="dfn" href="#authentication" id="ref-for-authentication-4">authentication</a>. By making such an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture-5">authorization gesture</a>, a user <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent-2">provides
consent</a> for (i.e., <em>authorizes</em>) a <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-4">ceremony</a> to proceed. This may involve <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-3">user verification</a> if the
employed <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-12">authenticator</a> is capable, or it may involve a simple <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence-1">test of user presence</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="Biometric Recognition" data-noexport="" id="biometric-recognition">Biometric Recognition </dfn>
    <dd data-md="">
     <p>The automated recognition of individuals based on their biological and behavioral characteristics <a data-link-type="biblio" href="#biblio-isobiometricvocabulary">[ISOBiometricVocabulary]</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="ceremony">Ceremony</dfn>
    <dd data-md="">
     <p>The concept of a <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-5">ceremony</a> <a data-link-type="biblio" href="#biblio-ceremony">[Ceremony]</a> is an extension of the concept of a network protocol, with human nodes alongside
computer nodes and with communication links that include user interface(s), human-to-human communication, and transfers of
physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, <a data-link-type="dfn" href="#registration" id="ref-for-registration-6">Registration</a> and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication-5">Authentication</a> are ceremonies, and an <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture-6">authorization gesture</a> is often a component of
those <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-6">ceremonies</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="client">Client</dfn>
    <dd data-md="">
     <p>See <a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent-5">Conforming User Agent</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="conforming-user-agent">Conforming User Agent</dfn>
    <dd data-md="">
     <p>A user agent implementing, in conjunction with the underlying platform, the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api-4">Web Authentication API</a> and algorithms
given in this specification, and handling communication between <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-13">authenticators</a> and <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-11">Relying Parties</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="credential-public-key">Credential Public Key</dfn>
    <dd data-md="">
     <p>The public key portion of an <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-12">Relying Party</a>-specific <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="credential-key-pair">credential key pair</dfn>, generated by an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-14">authenticator</a> and
returned to an <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-13">Relying Party</a> at <a data-link-type="dfn" href="#registration" id="ref-for-registration-7">registration</a> time (see also <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-8">public key credential</a>). The private key portion of the <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair-1">credential key pair</a> is known as the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="credential-private-key">credential private key</dfn>. Note that in the case of <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation-3">self
attestation</a>, the <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair-2">credential key pair</a> is also used as the <a data-link-type="dfn" href="#attestation-key-pair" id="ref-for-attestation-key-pair-2">attestation key pair</a>, see <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation-4">self attestation</a> for details.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="registration">Registration</dfn>
    <dd data-md="">
     <p>The <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-7">ceremony</a> where a user, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-14">Relying Party</a>, and the user’s computing device(s) (containing at least one <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-15">authenticator</a>) work in concert to create a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-9">public key credential</a> and associate it with the user’s <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-15">Relying Party</a> account. Note that this includes employing <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-4">user verification</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="relying-party">Relying Party</dfn>
    <dd data-md="">
     <p>The entity whose web application utilizes the <a data-link-type="dfn" href="#web-authentication-api" id="ref-for-web-authentication-api-5">Web Authentication API</a> to register and authenticate users. See <a data-link-type="dfn" href="#registration" id="ref-for-registration-8">Registration</a> and <a data-link-type="dfn" href="#authentication" id="ref-for-authentication-6">Authentication</a>, respectively.</p>
     <p class="note" role="note"><span>Note:</span> While the term <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-16">Relying Party</a> is used in other contexts (e.g., X.509 and OAuth), an entity acting as a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-17">Relying Party</a> in one context is
    not necessarily a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-18">Relying Party</a> in other contexts.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="relying-party-identifier">Relying Party Identifier</dfn>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="rp-id">RP ID</dfn>
    <dd data-md="">
     <p>An identifier for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-19">Relying Party</a> on whose behalf a given registration or authentication ceremony is being performed. Public Key
credentials can only be used for authentication by the same entity (as identified by RP ID) that created and registered
them. By default, the RP ID for a WebAuthn operation is set to the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> specified by the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">relevant settings object</a> of the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer">CredentialsContainer</a></code> object. This default can be overridden by the caller subject
to certain restrictions, as specified in <a href="#createCredential">§4.1.3 Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> and <a href="#getAssertion">§4.1.4 Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="public-key-credential">Public Key Credential</dfn>
    <dd data-md="">
     <p>Generically, a credential is data one entity presents to another in order to authenticate the former’s identity <a data-link-type="biblio" href="#biblio-rfc4949">[RFC4949]</a>.
A WebAuthn <em><a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-10">public key credential</a></em> is a <code>{ identifier, type }</code> pair identifying authentication
information established by the authenticator and the Relying Party, together, at <a data-link-type="dfn" href="#registration" id="ref-for-registration-9">registration</a> time. The authentication
information consists of an asymmetric key pair, where the public key portion is returned to the Relying Party, which stores it in
conjunction with the present user’s account. The authenticator maps the private key to the Relying Party’s <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id-1">RP ID</a> and stores
it. Subsequently, only that Relying Party, as identified by its <a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id-2">RP ID</a>, is able to employ the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-11">public key credential</a> in <a data-link-type="dfn" href="#authentication" id="ref-for-authentication-7">authentication</a> ceremonies, via the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> method. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-20">Relying Party</a> uses its copy of the stored public
key to verify the resultant <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion-4">Authentication Assertion</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="test-of-user-presence">Test of User Presence</dfn>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="tup">TUP</dfn>
    <dd data-md="">
     <p>A <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence-2">test of user presence</a> is a simple form of <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture-7">authorization gesture</a> and technical process where a user interacts with
an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-16">authenticator</a> by (typically) simply touching it (other modalities may also exist), yielding a boolean result. Note
that this does not constitute <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-5">user verification</a> because <a data-link-type="dfn" href="#tup" id="ref-for-tup-1">TUP</a>, by definition, is not capable of <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition-1">biometric
recognition</a>, nor does it involve the presentation of a shared secret such as a password or PIN.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="client-side-resident-credential-private-key">Client-side-resident Credential Private Key</dfn>
    <dd data-md="">
     <p>A <a data-link-type="dfn" href="#client-side-resident-credential-private-key" id="ref-for-client-side-resident-credential-private-key-1">Client-side-resident Credential Private Key</a> is stored either on the client platform, or in some cases on the authenticator
itself, e.g., in the case of a discrete first-factor roaming authenticator. Such <dfn data-dfn-type="dfn" data-lt="client-side credential private key storage" data-noexport="" id="client-side-credential-private-key-storage">client-side credential private key 
storage<a class="self-link" href="#client-side-credential-private-key-storage"></a></dfn> has the property that the authenticator is able to select the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key-1">credential private key</a> given only an RP ID, 
possibly with user assistance (e.g., by providing the user a pick list of credentials associated with the RP ID). By definition,
the private key is always exclusively controlled by the Authenticator. In the case of a <a data-link-type="dfn" href="#client-side-resident-credential-private-key" id="ref-for-client-side-resident-credential-private-key-2">Client-side-resident Credential Private
Key</a>, the Authenticator might offload storage of wrapped key material to the client platform, but the client platform is not 
expected to offload the key storage to remote entities (e.g. RP Server).</p>
    <dt data-md=""><dfn data-dfn-type="dfn" data-noexport="" id="client-side">Client-Side<a class="self-link" href="#client-side"></a></dfn>
    <dd data-md="">
     <p>This refers in general to the combination of the user’s platform device, user agent, authenticators, and everything gluing
it all together.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="user-consent">User Consent</dfn>
    <dd data-md="">
     <p>User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts.
An <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture-8">authorization gesture</a> is a <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-8">ceremony</a> component often employed to indicate <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent-3">user consent</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="user-verification">User Verification</dfn>
    <dd data-md="">
     <p>The technical process by which an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-17">authenticator</a> <em>locally authorizes</em> the invocation of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential-2">authenticatorMakeCredential</a> and <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-2">authenticatorGetAssertion</a> operations. <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-6">User verification</a> may be instigated
through various <a data-link-type="dfn" href="#authorization-gesture" id="ref-for-authorization-gesture-9">authorization gesture</a> modalities; for example, through a touch plus pin code, password entry, or <a data-link-type="dfn" href="#biometric-recognition" id="ref-for-biometric-recognition-2">biometric recognition</a> (e.g., presenting a fingerprint) <a data-link-type="biblio" href="#biblio-isobiometricvocabulary">[ISOBiometricVocabulary]</a>. The intent is to be able to
distinguish individual users. Note that invocation of the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential-3">authenticatorMakeCredential</a> and <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-3">authenticatorGetAssertion</a> operations implies use of key material managed by the authenticator. Note that for
security, <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-7">user verification</a> and use of <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key-2">credential private keys</a> must occur within a single logical security boundary
defining the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-18">authenticator</a>.</p>
    <dt data-md=""><dfn data-dfn-type="dfn" data-noexport="" id="concept-user-verified">User Verified<a class="self-link" href="#concept-user-verified"></a></dfn>
    <dd data-md="">
     <p>Upon successful completion of a <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-8">user verification</a> process, the user is said to be "verified".</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="webauthn-client">WebAuthn Client</dfn>
    <dd data-md="">
     <p>Also referred to herein as simply a <a data-link-type="dfn" href="#client" id="ref-for-client-1">client</a>. See also <a data-link-type="dfn" href="#conforming-user-agent" id="ref-for-conforming-user-agent-6">Conforming User Agent</a>.</p>
   </dl>
   <h2 class="heading settled" data-level="4" id="api"><span class="secno">4. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="web-authentication-api">Web Authentication API</dfn></span><a class="self-link" href="#api"></a></h2>
   <p>This section normatively specifies the API for creating and using <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-12">public key credentials</a>. The basic
idea is that the credentials belong to the user and are managed by an authenticator, with which the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-21">Relying Party</a> interacts through the
client (consisting of the browser and underlying OS platform). Scripts can (with the user’s consent) request the browser to
create a new credential for future use by the Relying Party. Scripts can also request the user’s permission to perform authentication
operations with an existing credential. All such operations are performed in the authenticator and are mediated by the browser
and/or platform on the user’s behalf. At no point does the script get access to the credentials themselves; it only gets
information about the credentials in the form of objects.</p>
   <p>In addition to the above script interface, the authenticator may implement (or come with client software that implements) a user
interface for management. Such an interface may be used, for example, to reset the authenticator to a clean state or to inspect
the current state of the authenticator. In other words, such an interface is similar to the user interfaces provided by browsers
for managing user state such as history, saved passwords and cookies. Authenticator management actions such as credential
deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to
scripts.</p>
   <p>The security properties of this API are provided by the client and the authenticator working together. The authenticator, which
holds and manages credentials, ensures that all operations are scoped to a particular <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a>, and cannot be replayed against
a different <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a>, by incorporating the <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a> in its responses. Specifically, as defined in <a href="#authenticator-ops">§5.2 Authenticator operations</a>,
the full <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a> of the requester is included, and signed over, in the <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-1">attestation object</a> produced when a new credential
is created as well as in all assertions produced by WebAuthn credentials.</p>
   <p>Additionally, to maintain user privacy and prevent malicious Relying Parties from probing for the presence of credentials belonging to
other Relying Parties, each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client
to the authenticator for all operations, and the authenticator ensures that credentials created by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-22">Relying Party</a> can only be used in
operations requested by the same RP ID. Separating the <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a> from the RP ID in this way allows the API to be used in cases
where a single <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-23">Relying Party</a> maintains multiple <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origins</a>.</p>
   <p>The client facilitates these security measures by providing correct <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origins</a> and RP IDs to the authenticator for each
operation. Since this is an integral part of the WebAuthn security model, user agents MUST only expose this API to callers in <a data-link-type="dfn" href="https://w3c.github.io/webappsec-secure-contexts/#secure-context">secure contexts</a>.</p>
   <p>The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL
listing is given in the <a href="#idl-index">IDL Index</a>.</p>
   <h3 class="heading settled" data-level="4.1" id="iface-pkcredential"><span class="secno">4.1. </span><span class="content"><dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export="" id="publickeycredential">PublicKeyCredential</dfn> Interface</span><a class="self-link" href="#iface-pkcredential"></a></h3>
   <p>The <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-2">PublicKeyCredential</a></code> interface inherits from <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential">Credential</a></code> <a data-link-type="biblio" href="#biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]</a>, and contains the attributes
that are returned to the caller when a new credential is created, or a new assertion is requested.</p>
<pre class="idl highlight def">[<a class="nv idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext">SecureContext</a>]
<span class="kt">interface</span> <a class="nv idl-code" data-link-type="interface" href="#publickeycredential" id="ref-for-publickeycredential-3">PublicKeyCredential</a> : <a class="n" data-link-type="idl-name" href="https://w3c.github.io/webappsec-credential-management/#credential">Credential</a> {
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a>           <dfn class="nv dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export="" data-readonly="" data-type="ArrayBuffer" id="dom-publickeycredential-rawid">rawId</dfn>;
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n" data-link-type="idl-name" href="#authenticatorresponse" id="ref-for-authenticatorresponse-1">AuthenticatorResponse</a> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="AuthenticatorResponse" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response-1">response</a>;
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-1">AuthenticationExtensions</a> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="AuthenticationExtensions" href="#dom-publickeycredential-clientextensionresults" id="ref-for-dom-publickeycredential-clientextensionresults-1">clientExtensionResults</a>;
};
</pre>
   <dl>
    <dt data-md=""><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id">id</a></code>
    <dd data-md="">
     <p>This attribute is inherited from <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential">Credential</a></code>, though <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-4">PublicKeyCredential</a></code> overrides <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential">Credential</a></code>'s getter,
instead returning the <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding-1">base64url encoding</a> of the data contained in the object’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-identifier-slot" id="ref-for-dom-publickeycredential-identifier-slot-1">[[identifier]]</a></code> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots">internal slot</a>.</p>
    <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-rawid" id="ref-for-dom-publickeycredential-rawid-1">rawId</a></code>
    <dd data-md="">
     <p>This attribute returns the <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a></code> contained in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-identifier-slot" id="ref-for-dom-publickeycredential-identifier-slot-2">[[identifier]]</a></code> internal slot.</p>
    <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export="" id="dom-publickeycredential-response">response</dfn>, <span> of type <a data-link-type="idl-name" href="#authenticatorresponse" id="ref-for-authenticatorresponse-2">AuthenticatorResponse</a>, readonly</span>
    <dd data-md="">
     <p>This attribute contains the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-19">authenticator</a>'s response to the client’s request to either create a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-13">public key
credential</a>, or generate an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion-5">authentication assertion</a>. If the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-5">PublicKeyCredential</a></code> is created in response to <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code>, this attribute’s value will be an <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse-1">AuthenticatorAttestationResponse</a></code>, otherwise,
the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-6">PublicKeyCredential</a></code> was created in response to <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code>, and this attribute’s value
will be an <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse-2">AuthenticatorAssertionResponse</a></code>.</p>
    <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export="" id="dom-publickeycredential-clientextensionresults">clientExtensionResults</dfn>, <span> of type <a data-link-type="idl-name" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-2">AuthenticationExtensions</a>, readonly</span>
    <dd data-md="">
     <p>This attribute contains a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map">map</a> containing <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-1">extension identifier</a> → <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-1">client extension output</a> entries
produced by the extension’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-1">client extension processing</a>.</p>
    <dt data-md=""><dfn class="idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export="" id="dom-publickeycredential-type-slot">[[type]]<a class="self-link" href="#dom-publickeycredential-type-slot"></a></dfn>
    <dd data-md="">
     <p>The <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-7">PublicKeyCredential</a></code> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a>'s <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type-slot">[[type]]</a></code> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots">internal slot</a>'s value is the string
"<code>public-key</code>".</p>
     <p class="note" role="note"><span>Note:</span> This is reflected via the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type">type</a></code> attribute getter inherited from <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential">Credential</a></code>.</p>
    <dt data-md=""><dfn class="idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export="" id="dom-publickeycredential-discovery-slot">[[discovery]]<a class="self-link" href="#dom-publickeycredential-discovery-slot"></a></dfn>
    <dd data-md="">
     <p>The <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-8">PublicKeyCredential</a></code> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a>'s <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-slot">[[discovery]]</a></code> <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots">internal slot</a>'s value is
"<code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-remote">remote</a></code>".</p>
    <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="attribute" data-export="" id="dom-publickeycredential-identifier-slot">[[identifier]]</dfn>
    <dd data-md="">
     <p>This <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots">internal slot</a> contains an identifier for the credential, chosen by the platform with help from the
authenticator. This identifier is used to look up credentials for use, and is therefore expected to be globally unique
with high probability across all credentials of the same type, across all authenticators. This API does not constrain
the format or length of this identifier, except that it must be sufficient for the platform to uniquely select a key.
For example, an authenticator without on-board storage may create identifiers containing a <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key-3">credential private key</a> wrapped with a symmetric key that is burned into the authenticator.</p>
   </dl>
   <p><code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-9">PublicKeyCredential</a></code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a> inherits <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credential">Credential</a></code>'s implementation of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-collectfromcredentialstore-slot">[[CollectFromCredentialStore]](options)</a></code> and <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-store-slot">[[Store]](credential)</a></code>, and defines its own
implementation of <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-discoverfromexternalsource-slot" id="ref-for-dom-publickeycredential-discoverfromexternalsource-slot-1">[[DiscoverFromExternalSource]](options)</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-slot" id="ref-for-dom-publickeycredential-create-slot-1">[[Create]](options)</a></code>.</p>
   <h4 class="heading settled" data-level="4.1.1" id="credentialrequestoptions-extension"><span class="secno">4.1.1. </span><span class="content"><code>CredentialRequestOptions</code> Extension</span><a class="self-link" href="#credentialrequestoptions-extension"></a></h4>
   <p>To support obtaining assertions via <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">navigator.credentials.get()</a></code>, this document extends the <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-1">CredentialRequestOptions</a></code> dictionary as follows:</p>
<pre class="idl highlight def"><span class="kt">partial</span> <span class="kt">dictionary</span> <dfn class="nv dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-credentialrequestoptions">CredentialRequestOptions</dfn> {
    <a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions-1">PublicKeyCredentialRequestOptions</a>? <dfn class="nv dfn-paneled idl-code" data-dfn-for="CredentialRequestOptions" data-dfn-type="dict-member" data-export="" data-type="PublicKeyCredentialRequestOptions? " id="dom-credentialrequestoptions-publickey">publicKey</dfn>;
};
</pre>
   <h4 class="heading settled" data-level="4.1.2" id="credentialcreationoptions-extension"><span class="secno">4.1.2. </span><span class="content"><code>CredentialCreationOptions</code> Extension</span><a class="self-link" href="#credentialcreationoptions-extension"></a></h4>
   <p>To support registration via <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">navigator.credentials.create()</a></code>, this document extends
the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions">CredentialCreationOptions</a></code> dictionary as follows:</p>
<pre class="idl highlight def"><span class="kt">partial</span> <span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions">CredentialCreationOptions</a> {
    <a class="n" data-link-type="idl-name" href="#dictdef-makecredentialoptions" id="ref-for-dictdef-makecredentialoptions-1">MakeCredentialOptions</a>? <dfn class="nv dfn-paneled idl-code" data-dfn-for="CredentialCreationOptions" data-dfn-type="dict-member" data-export="" data-type="MakeCredentialOptions? " id="dom-credentialcreationoptions-publickey">publicKey</dfn>;
};
</pre>
   <h4 class="heading settled" data-level="4.1.3" id="createCredential"><span class="secno">4.1.3. </span><span class="content">Create a new credential - PublicKeyCredential’s <code>\[[Create]](options)</code> method</span><a class="self-link" href="#createCredential"></a></h4>
   <p><code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-10">PublicKeyCredential</a></code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a>'s implementation of the <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="method" data-export="" id="dom-publickeycredential-create-slot">[[Create]](options)</dfn> method allows scripts to call <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">navigator.credentials.create()</a></code> to request the creation of a new <a data-link-type="dfn" href="#credential-key-pair" id="ref-for-credential-key-pair-3">credential key pair</a> and <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-11">PublicKeyCredential</a></code>, managed by an authenticator. The user agent will prompt the user for <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent-4">consent</a>.
On success, the returned promise will be resolved with a <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-12">PublicKeyCredential</a></code> containing an <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse-2">AuthenticatorAttestationResponse</a></code> object.</p>
   <p class="note" role="note"><span>Note:</span> This algorithm is synchronous; the <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-promise">Promise</a></code> resolution/rejection is taken care of by <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">navigator.credentials.create()</a></code>.</p>
   <p>This method accepts a single argument:</p>
   <dl>
    <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential/[[Create]](options)" data-dfn-type="argument" data-export="" id="dom-publickeycredential-create-options-options">options</dfn>
    <dd data-md="">
     <p>This argument is a <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions">CredentialCreationOptions</a></code> object whose <var>options</var>["<code class="idl"><a data-link-type="idl" href="#dom-credentialcreationoptions-publickey" id="ref-for-dom-credentialcreationoptions-publickey-1">publicKey</a></code>"]
member contains a <code class="idl"><a data-link-type="idl" href="#dictdef-makecredentialoptions" id="ref-for-dictdef-makecredentialoptions-2">MakeCredentialOptions</a></code> object specifying how the credential is to be made.</p>
   </dl>
   <p>When this method is invoked, the user agent MUST execute the following algorithm:</p>
   <ol>
    <li data-md="">
     <p class="assertion">Assert: <var>options</var>["<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-publickey" id="ref-for-dom-credentialrequestoptions-publickey-1">publicKey</a></code>"] is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">present</a>.</p>
    <li data-md="">
     <p>Let <var>options</var> be the value of <var>options</var>["<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-publickey" id="ref-for-dom-credentialrequestoptions-publickey-2">publicKey</a></code>"].</p>
    <li data-md="">
     <p>If any of the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name-1">name</a></code> member of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-rp" id="ref-for-dom-makecredentialoptions-rp-1">rp</a></code>, the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name-2">name</a></code> member of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-user" id="ref-for-dom-makecredentialoptions-user-1">user</a></code>,
the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname-1">displayName</a></code> member of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-user" id="ref-for-dom-makecredentialoptions-user-2">user</a></code>,
or the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-1">id</a></code> member of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-user" id="ref-for-dom-makecredentialoptions-user-3">user</a></code> are <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">not present</a>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#exceptiondef-typeerror">TypeError</a></code> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-simple-exception">simple exception</a>.</p>
    <li data-md="">
     <p>If the <code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-timeout" id="ref-for-dom-makecredentialoptions-timeout-1">timeout</a></code> member of <var>options</var> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">present</a>, check if its value lies within a
reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set <var>adjustedTimeout</var> to this adjusted value. If the <code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-timeout" id="ref-for-dom-makecredentialoptions-timeout-2">timeout</a></code> member of <var>options</var> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">not
present</a>, then set <var>adjustedTimeout</var> to a platform-specific default.</p>
    <li data-md="">
     <p>Let <var>global</var> be the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-13">PublicKeyCredential</a></code> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global">environment settings object’s global object</a>.</p>
    <li data-md="">
     <p>Let <var>callerOrigin</var> be the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> specified by this <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-14">PublicKeyCredential</a></code> <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">relevant settings object</a>. If <var>callerOrigin</var> is an <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#opaque-origin">opaque origin</a>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is
"<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror">NotAllowedError</a></code>", and terminate this algorithm.</p>
    <li data-md="">
     <p>If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-2">id</a></code> member of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-rp" id="ref-for-dom-makecredentialoptions-rp-2">rp</a></code> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">not present</a>, then set <var>rpId</var> to <var>callerOrigin</var>.</p>
     <p>Otherwise:</p>
     <ol>
      <li data-md="">
       <p>Let <var>effectiveDomain</var> be the <var>callerOrigin</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain">effective domain</a>.</p>
      <li data-md="">
       <p>If <var>effectiveDomain</var> is null, then return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror">SecurityError</a></code>" and terminate this
algorithm.</p>
      <li data-md="">
       <p>If <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-rp" id="ref-for-dom-makecredentialoptions-rp-3">rp</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-3">id</a></code> <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to">is not a registrable domain suffix of and is
not equal to</a> <var>effectiveDomain</var>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror">SecurityError</a></code>", and terminate this
algorithm.</p>
      <li data-md="">
       <p>Set <var>rpId</var> to <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-rp" id="ref-for-dom-makecredentialoptions-rp-4">rp</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-4">id</a></code>.</p>
     </ol>
    <li data-md="">
     <p>Let <var>normalizedParameters</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list">list</a> whose <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-item">items</a> are pairs of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype-1">PublicKeyCredentialType</a></code> and a <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-dictionary">dictionary</a> type (as returned by <a data-link-type="dfn" href="https://www.w3.org/TR/WebCryptoAPI/#dfn-normalize-an-algorithm">normalizing an algorithm</a>).</p>
    <li data-md="">
     <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">For each</a> <var>current</var> of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-parameters" id="ref-for-dom-makecredentialoptions-parameters-1">parameters</a></code>:</p>
     <ol>
      <li data-md="">
       <p>If <code><var>current</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialparameters-type" id="ref-for-dom-publickeycredentialparameters-type-1">type</a></code></code> does not contain a <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype-2">PublicKeyCredentialType</a></code> supported
by this implementation, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
      <li data-md="">
       <p>Let <var>normalizedAlgorithm</var> be the result of <a data-link-type="dfn" href="https://www.w3.org/TR/WebCryptoAPI/#dfn-normalize-an-algorithm">normalizing an algorithm</a> <a data-link-type="biblio" href="#biblio-webcryptoapi">[WebCryptoAPI]</a>, with <var>alg</var> set to <code><var>current</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialparameters-algorithm" id="ref-for-dom-publickeycredentialparameters-algorithm-1">algorithm</a></code></code> and <var>op</var> set to <code>"generateKey"</code>. If an error occurs during this procedure, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
      <li data-md="">
       <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-append">Append</a> the pair of <code><var>current</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialparameters-type" id="ref-for-dom-publickeycredentialparameters-type-2">type</a></code></code> and <var>normalizedAlgorithm</var> to <var>normalizedParameters</var>.</p>
     </ol>
    <li data-md="">
     <p>If <var>normalizedParameters</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is empty</a> and <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-parameters" id="ref-for-dom-makecredentialoptions-parameters-2">parameters</a></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is not empty</a>,
cancel the timer started in step 2, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notsupportederror">NotSupportedError</a></code>", and terminate this
algorithm.</p>
    <li data-md="">
     <p>Let <var>clientExtensions</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map">map</a> and let <var>authenticatorExtensions</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map">map</a>.</p>
    <li data-md="">
     <p>If the <code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-extensions" id="ref-for-dom-makecredentialoptions-extensions-1">extensions</a></code> member of <var>options</var> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">present</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-iterate">for each</a> <var>extensionId</var> → <var>clientExtensionInput</var> of <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-extensions" id="ref-for-dom-makecredentialoptions-extensions-2">extensions</a></code></code>:</p>
     <ol>
      <li data-md="">
       <p>If <var>extensionId</var> is not supported by this client platform or is not a <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-1">registration extension</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
      <li data-md="">
       <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set">Set</a> <var>clientExtensions</var>[<var>extensionId</var>] to <var>clientExtensionInput</var>.</p>
      <li data-md="">
       <p>If <var>extensionId</var> is not an <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-1">authenticator extension</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
      <li data-md="">
       <p>Let <var>authenticatorExtensionInput</var> be the (<a data-link-type="dfn" href="#cbor" id="ref-for-cbor-1">CBOR</a>) result of running <var>extensionId</var>’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-2">client extension processing</a> algorithm on <var>clientExtensionInput</var>. If the algorithm returned an error, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
      <li data-md="">
       <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set">Set</a> <var>authenticatorExtensions</var>[<var>extensionId</var>] to the <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding-2">base64url encoding</a> of <var>authenticatorExtensionInput</var>.</p>
     </ol>
    <li data-md="">
     <p>Let <var>collectedClientData</var> be a new <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata-1">CollectedClientData</a></code> instance whose fields are:</p>
     <dl>
      <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge-1">challenge</a></code>
      <dd data-md="">
       <p>The <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding-3">base64url encoding</a> of <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-challenge" id="ref-for-dom-makecredentialoptions-challenge-1">challenge</a></code></p>
      <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin-1">origin</a></code>
      <dd data-md="">
       <p>The <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#unicode-serialisation-of-an-origin">unicode serialization</a> of <var>rpId</var></p>
      <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-hashalg" id="ref-for-dom-collectedclientdata-hashalg-1">hashAlg</a></code>
      <dd data-md="">
       <p>The <a data-link-type="dfn" href="https://www.w3.org/TR/WebCryptoAPI/#recognized-algorithm-name">recognized algorithm name</a> of the hash algorithm selected by the client for generating the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-1">hash of the serialized client data</a></p>
      <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding-1">tokenBinding</a></code>
      <dd data-md="">
       <p>The <a data-link-type="dfn" href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol#section-3.2">Token Binding ID</a> associated with <var>callerOrigin</var>, if one is available.</p>
      <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-clientextensions" id="ref-for-dom-collectedclientdata-clientextensions-1">clientExtensions</a></code>
      <dd data-md="">
       <p><var>clientExtensions</var></p>
      <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-authenticatorextensions" id="ref-for-dom-collectedclientdata-authenticatorextensions-1">authenticatorExtensions</a></code>
      <dd data-md="">
       <p><var>authenticatorExtensions</var></p>
     </dl>
    <li data-md="">
     <p>Let <var>clientDataJSON</var> be the <a data-link-type="dfn" href="#collectedclientdata-json-serialized-client-data" id="ref-for-collectedclientdata-json-serialized-client-data-1">JSON-serialized client data</a> constructed from <var>collectedClientData</var>.</p>
    <li data-md="">
     <p>Let <var>clientDataHash</var> be the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-2">hash of the serialized client data</a> represented by <var>clientDataJSON</var>.</p>
    <li data-md="">
     <p>Let <var>currentlyAvailableAuthenticators</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set">ordered set</a> consisting of all <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-20">authenticators</a> available on this platform.</p>
    <li data-md="">
     <p>Let <var>selectedAuthenticators</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set">ordered set</a>.</p>
    <li data-md="">
     <p>If <var>currentlyAvailableAuthenticators</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is empty</a>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is
"<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notfounderror">NotFoundError</a></code>", and terminate this algorithm.</p>
    <li data-md="">
     <p>If <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-authenticatorselection" id="ref-for-dom-makecredentialoptions-authenticatorselection-1">authenticatorSelection</a></code> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">present</a>, iterate through <var>currentlyAvailableAuthenticators</var> and do the following <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">for each</a> <var>authenticator</var>:</p>
     <ol>
      <li data-md="">
       <p>If <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-attachment" id="ref-for-dom-authenticatorselectioncriteria-attachment-1">attachment</a></code> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">present</a> and its value is not equal
to <var>authenticator</var>’s attachment modality, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
      <li data-md="">
       <p>If <code class="idl"><a data-link-type="idl" href="#dom-authenticatorselectioncriteria-requireresidentkey" id="ref-for-dom-authenticatorselectioncriteria-requireresidentkey-1">requireResidentKey</a></code> is set to <var>true</var> and the <var>authenticator</var> is not capable of storing a <a data-link-type="dfn" href="#client-side-resident-credential-private-key" id="ref-for-client-side-resident-credential-private-key-3">Client-Side-Resident Credential Private Key</a>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
      <li data-md="">
       <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#set-append">Append</a> <var>authenticator</var> to <var>selectedAuthenticators</var>.</p>
     </ol>
    <li data-md="">
     <p>If <var>selectedAuthenticators</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is empty</a>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is
"<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#constrainterror">ConstraintError</a></code>", and terminate this algoritm.</p>
    <li data-md="">
     <p>Let <var>issuedRequests</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set">ordered set</a>.</p>
    <li data-md="">
     <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">For each</a> <var>authenticator</var> in <var>currentlyAvailableAuthenticators</var>:</p>
     <ol>
      <li data-md="">
       <p>Let <var>excludeList</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list">list</a>.</p>
      <li data-md="">
       <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">For each</a> credential <var>C</var> in <code><var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-excludelist" id="ref-for-dom-makecredentialoptions-excludelist-1">excludeList</a></code></code>:</p>
       <ol>
        <li data-md="">
         <p>If <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports-1">transports</a></code></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is not empty</a>, and <var>authenticator</var> is connected over a transport not
mentioned in <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports-2">transports</a></code></code>, the client MAY <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
        <li data-md="">
         <p>Otherwise, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-append">Append</a> <var>C</var> to <var>excludeList</var>.</p>
       </ol>
      <li data-md="">
       <p><a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">In parallel</a>, invoke the <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential-4">authenticatorMakeCredential</a> operation on <var>authenticator</var> with <var>rpId</var>, <var>clientDataHash</var>, <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-rp" id="ref-for-dom-makecredentialoptions-rp-5">rp</a></code>, <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-user" id="ref-for-dom-makecredentialoptions-user-4">user</a></code>, <var>normalizedParameters</var>, <var>excludeList</var>, and <var>authenticatorExtensions</var> as parameters.</p>
      <li data-md="">
       <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#set-append">Append</a> <var>authenticator</var> to <var>issuedRequests</var>.</p>
     </ol>
    <li data-md="">
     <p>Start a timer for <var>adjustedTimeout</var> milliseconds. Then execute the following steps <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>. The <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#task-source">task source</a> for
these <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-task">tasks</a> is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#dom-manipulation-task-source">dom manipulation task source</a>.</p>
    <li data-md="">
     <p>While <var>issuedRequests</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is not empty</a>, perform the following actions depending upon the <var>adjustedTimeout</var> timer and
responses from the authenticators:</p>
     <dl class="switch">
      <dt>If the <var>adjustedTimeout</var> timer expires,
      <dd><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">For each</a> <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel-1">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">remove</a> <var>authenticator</var> from <var>issuedRequests</var>.
      <dt>If any <var>authenticator</var> returns a status indicating that the user cancelled the operation,
      <dd>
       <ol>
        <li data-md="">
         <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
        <li data-md="">
         <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">For each</a> remaining <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel-2">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">remove</a> it from <var>issuedRequests</var>.</p>
       </ol>
      <dt>If any <var>authenticator</var> returns an error status,
      <dd><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.
      <dt>If any <var>authenticator</var> indicates success,
      <dd>
       <ol>
        <li data-md="">
         <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
        <li data-md="">
         <p>Let <var>attestationObject</var> be a new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">%ArrayBuffer%</a>, containing the
bytes of the value returned from the successful <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential-5">authenticatorMakeCredential</a> operation (which is <code>attObj</code>, as defined in <a href="#generating-an-attestation-object">§5.3.4 Generating an Attestation Object</a>).</p>
        <li data-md="">
         <p>Let <var>id</var> be <var>attestationObject</var><code>.authData.attestation data.credential ID</code> (see <a href="#sec-attestation-data">§5.3.1 Attestation data</a> and <a href="#sec-authenticator-data">§5.1 Authenticator data</a>).</p>
        <li data-md="">
         <p>Let <var>value</var> be a new <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-15">PublicKeyCredential</a></code> object associated with <var>global</var> whose fields are:</p>
         <dl>
          <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-identifier-slot" id="ref-for-dom-publickeycredential-identifier-slot-3">[[identifier]]</a></code>
          <dd data-md="">
           <p><var>id</var></p>
          <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response-2">response</a></code>
          <dd data-md="">
           <p>A new <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse-3">AuthenticatorAttestationResponse</a></code> object associated with <var>global</var> whose fields are:</p>
           <dl>
            <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-1">clientDataJSON</a></code>
            <dd data-md="">
             <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">%ArrayBuffer%</a>, containing the bytes of <var>clientDataJSON</var>.</p>
            <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject-1">attestationObject</a></code>
            <dd data-md="">
             <p><var>attestationObject</var></p>
           </dl>
          <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-clientextensionresults" id="ref-for-dom-publickeycredential-clientextensionresults-2">clientExtensionResults</a></code>
          <dd data-md="">
           <p>A new <code class="idl"><a data-link-type="idl" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-3">AuthenticationExtensions</a></code> object containing the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-2">extension identifier</a> → <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-2">client extension output</a> entries created by running each extension’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-3">client extension processing</a> algorithm to create the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-3">client
extension outputs</a>, for each <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension-1">client extension</a> in <code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-2">clientDataJSON</a></code>.clientExtensions.</p>
         </dl>
        <li data-md="">
         <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">For each</a> remaining <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel-3">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">remove</a> it from <var>issuedRequests</var>.</p>
        <li data-md="">
         <p>Return <var>value</var> and terminate this algorithm.</p>
       </ol>
     </dl>
    <li data-md="">
     <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror">NotAllowedError</a></code>".</p>
   </ol>
   <p>During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator.</p>
   <h4 class="heading settled" data-level="4.1.4" id="getAssertion"><span class="secno">4.1.4. </span><span class="content">Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</span><a class="self-link" href="#getAssertion"></a></h4>
   <div data-link-for-hint="PublicKeyCredential/[[DiscoverFromExternalSource]](options)">
     The <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredential" data-dfn-type="method" data-export="" id="dom-publickeycredential-discoverfromexternalsource-slot">[[DiscoverFromExternalSource]](options)</dfn> method is used to discover and use an
existing <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-14">public key credential</a>, with the user’s consent. The script optionally specifies some criteria to indicate what
credentials are acceptable to it. The user agent and/or platform locates credentials matching the specified criteria, and guides
the user to pick one that the script will be allowed to use. The user may choose not to provide a credential even if one is
present, for example to maintain privacy. 
    <p class="note" role="note"><span>Note:</span> This algorithm is synchronous; the <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-promise">Promise</a></code> resolution/rejection is taken care of by <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">navigator.credentials.get()</a></code>.</p>
    <div class="note" role="note">
      This method takes the following parameters: 
     <dl>
      <dt data-md=""><var>options</var>
      <dd data-md="">
       <p>A <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-2">CredentialRequestOptions</a></code> object, containing a challenge that the selected authenticator is expected to
sign to produce the assertion, and additional options as described in <a href="#assertion-options">§4.6 Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a></p>
     </dl>
    </div>
    <p>When this method is invoked, the user agent MUST execute the following algorithm:</p>
    <ol>
     <li data-md="">
      <p>Let <var>publicKeyOptions</var> be the value of <var>options</var> <code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-publickey" id="ref-for-dom-credentialrequestoptions-publickey-3">publicKey</a></code> member.</p>
     <li data-md="">
      <p>If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout-1">timeout</a></code> member of <var>publicKeyOptions</var> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">present</a>, check if its value lies
within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range.
Set <var>adjustedTimeout</var> to this adjusted value. If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout-2">timeout</a></code> member of <var>publicKeyOptions</var> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">not present</a>, then set <var>adjustedTimeout</var> to a platform-specific default.</p>
     <li data-md="">
      <p>Let <var>global</var> be the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-16">PublicKeyCredential</a></code>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">relevant settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global">environment settings object’s global object</a>.</p>
     <li data-md="">
      <p>Let <var>callerOrigin</var> be the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> of this <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer">CredentialsContainer</a></code> object’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">relevant
settings object</a>. If <var>callerOrigin</var> is an <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#opaque-origin">opaque origin</a>, return <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is
"<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror">NotAllowedError</a></code>", and terminate this algorithm.</p>
     <li data-md="">
      <p>If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid-1">rpId</a></code> member of <var>publicKeyOptions</var> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">not present</a>, then set <var>rpId</var> to <var>callerOrigin</var>.
Otherwise:</p>
      <ol>
       <li data-md="">
        <p>Let <var>effectiveDomain</var> be the <var>callerOrigin</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain">effective domain</a>.</p>
       <li data-md="">
        <p>If <var>effectiveDomain</var> is null, then return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror">SecurityError</a></code>" and terminate this
algorithm.</p>
       <li data-md="">
        <p>If <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid-2">rpId</a></code> <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to">is not a registrable domain suffix of and is not equal to</a> <var>effectiveDomain</var>, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#securityerror">SecurityError</a></code>", and terminate this algorithm.</p>
       <li data-md="">
        <p>Set <var>rpId</var> to the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid-3">rpId</a></code>.</p>
      </ol>
     <li data-md="">
      <p>Let <var>clientExtensions</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map">map</a> and let <var>authenticatorExtensions</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-map">map</a>.</p>
     <li data-md="">
      <p>If the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions-1">extensions</a></code> member of <var>publicKeyOptions</var> is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">present</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-iterate">for each</a> <var>extensionId</var> → <var>clientExtensionInput</var> of <code><var>publicKeyOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions-2">extensions</a></code></code>:</p>
      <ol>
       <li data-md="">
        <p>If <var>extensionId</var> is not supported by this client platform or is not an <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-1">authentication extension</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set">Set</a> <var>clientExtensions</var>[<var>extensionId</var>] to <var>clientExtensionInput</var>.</p>
       <li data-md="">
        <p>If <var>extensionId</var> is not an <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-2">authenticator extension</a>, then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
       <li data-md="">
        <p>Let <var>authenticatorExtensionInput</var> be the (<a data-link-type="dfn" href="#cbor" id="ref-for-cbor-2">CBOR</a>) result of running <var>extensionId</var>’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-4">client extension processing</a> algorithm on <var>clientExtensionInput</var>.
If the algorithm returned an error, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-set">Set</a> <var>authenticatorExtensions</var>[<var>extensionId</var>] to the <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding-4">base64url encoding</a> of <var>authenticatorExtensionInput</var>.</p>
      </ol>
     <li data-md="">
      <p>Let <var>collectedClientData</var> be a new <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata-2">CollectedClientData</a></code> instance whose fields are:</p>
      <dl>
       <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge-2">challenge</a></code>
       <dd data-md="">
        <p>The <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding-5">base64url encoding</a> of <var>publicKeyOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge-1">challenge</a></code></p>
       <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin-2">origin</a></code>
       <dd data-md="">
        <p>The <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#unicode-serialisation-of-an-origin">unicode serialization</a> of <var>rpId</var></p>
       <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-hashalg" id="ref-for-dom-collectedclientdata-hashalg-2">hashAlg</a></code>
       <dd data-md="">
        <p>The <a data-link-type="dfn" href="https://www.w3.org/TR/WebCryptoAPI/#recognized-algorithm-name">recognized algorithm name</a> of the hash algorithm selected by the client for generating the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-3">hash of the serialized client data</a></p>
       <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding-2">tokenBinding</a></code>
       <dd data-md="">
        <p>The <a data-link-type="dfn" href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol#section-3.2">Token Binding ID</a> associated with <var>callerOrigin</var>, if one is available.</p>
       <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-clientextensions" id="ref-for-dom-collectedclientdata-clientextensions-2">clientExtensions</a></code>
       <dd data-md="">
        <p><var>clientExtensions</var></p>
       <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-authenticatorextensions" id="ref-for-dom-collectedclientdata-authenticatorextensions-2">authenticatorExtensions</a></code>
       <dd data-md="">
        <p><var>authenticatorExtensions</var></p>
      </dl>
     <li data-md="">
      <p>Let <var>clientDataJSON</var> be the <a data-link-type="dfn" href="#collectedclientdata-json-serialized-client-data" id="ref-for-collectedclientdata-json-serialized-client-data-2">JSON-serialized client data</a> constructed from <var>collectedClientData</var>.</p>
     <li data-md="">
      <p>Let <var>clientDataHash</var> be the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-4">hash of the serialized client data</a> represented by <var>clientDataJSON</var>.</p>
     <li data-md="">
      <p>Let <var>issuedRequests</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set">ordered set</a>.</p>
     <li data-md="">
      <p>If there are no <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-21">authenticators</a> currently available on this platform, return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is
"<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notfounderror">NotFoundError</a></code>", and terminate this algorithm.</p>
     <li data-md="">
      <p>For each <var>authenticator</var> currently available on this platform, perform the following steps:</p>
      <ol>
       <li data-md="">
        <p>Let <var>credentialList</var> be a new <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list">list</a>.</p>
       <li data-md="">
        <p>If <code><var>publicKeyOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowlist" id="ref-for-dom-publickeycredentialrequestoptions-allowlist-1">allowList</a></code></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is not empty</a>, execute a
platform-specific procedure to determine which, if any, credentials in <code><var>publicKeyOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowlist" id="ref-for-dom-publickeycredentialrequestoptions-allowlist-2">allowList</a></code></code> are present on this <var>authenticator</var> by
matching with <code><var>publicKeyOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowlist" id="ref-for-dom-publickeycredentialrequestoptions-allowlist-3">allowList</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id-1">id</a></code></code> and <code><var>publicKeyOptions</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-allowlist" id="ref-for-dom-publickeycredentialrequestoptions-allowlist-4">allowList</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-type" id="ref-for-dom-publickeycredentialdescriptor-type-1">type</a></code></code>,
and set <var>credentialList</var> to this filtered list.</p>
       <li data-md="">
        <p>If <var>credentialList</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is empty</a> then <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>.</p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">In parallel</a>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">for each</a> credential <var>C</var> in <var>credentialList</var>:</p>
        <ol>
         <li data-md="">
          <p>If <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports-3">transports</a></code></code> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is not empty</a>, the client SHOULD select one <var>transport</var> from <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialdescriptor-transports" id="ref-for-dom-publickeycredentialdescriptor-transports-4">transports</a></code>. Then, using <var>transport</var>, invoke the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-4">authenticatorGetAssertion</a> operation on <var>authenticator</var>, with <var>rpId</var>, <var>clientDataHash</var>, <var>credentialList</var>, and <var>authenticatorExtensions</var> as parameters.</p>
         <li data-md="">
          <p>Otherwise, using local configuration knowledge of the appropriate transport to use with <var>authenticator</var>, invoke the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-5">authenticatorGetAssertion</a> operation on <var>authenticator</var> with <var>rpId</var>, <var>clientDataHash</var>, <var>credentialList</var>, and <var>clientExtensions</var> as parameters.</p>
        </ol>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#set-append">Append</a> <var>authenticator</var> to <var>issuedRequests</var>.</p>
      </ol>
     <li data-md="">
      <p>Start a timer for <var>adjustedTimeout</var> milliseconds. Then execute the following steps <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>. The <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#task-source">task source</a> for
these <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-task">tasks</a> is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#dom-manipulation-task-source">dom manipulation task source</a>.</p>
     <li data-md="">
      <p>While <var>issuedRequests</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty">is not empty</a>, perform the following actions depending upon the <var>adjustedTimeout</var> timer and
responses from the authenticators:</p>
      <dl class="switch">
       <dt>If the <var>adjustedTimeout</var> timer expires,
       <dd><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">For each</a> <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel-4">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">remove</a> <var>authenticator</var> from <var>issuedRequests</var>.
       <dt>If any <var>authenticator</var> returns a status indicating that the user cancelled the operation,
       <dd>
        <ol>
         <li data-md="">
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
         <li data-md="">
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">For each</a> remaining <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel-5">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">remove</a> it from <var>issuedRequests</var>.</p>
        </ol>
       <dt>If any <var>authenticator</var> returns an error status,
       <dd><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.
       <dt>If any <var>authenticator</var> indicates success,
       <dd>
        <ol>
         <li data-md="">
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">Remove</a> <var>authenticator</var> from <var>issuedRequests</var>.</p>
         <li data-md="">
          <p>Let <var>value</var> be a new <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-17">PublicKeyCredential</a></code> associated with <var>global</var> whose fields are:</p>
          <dl>
           <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-identifier-slot" id="ref-for-dom-publickeycredential-identifier-slot-4">[[identifier]]</a></code>
           <dd data-md="">
            <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">%ArrayBuffer%</a>, containing the bytes of the credential ID
returned from the successful <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-6">authenticatorGetAssertion</a> operation, as defined in [#op-get-assertion]].</p>
           <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response-3">response</a></code>
           <dd data-md="">
            <p>A new <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse-3">AuthenticatorAssertionResponse</a></code> object associated with <var>global</var> whose fields are:</p>
            <dl>
             <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-3">clientDataJSON</a></code>
             <dd data-md="">
              <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">%ArrayBuffer%</a>, containing the bytes of <var>clientDataJSON</var></p>
             <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-authenticatordata" id="ref-for-dom-authenticatorassertionresponse-authenticatordata-1">authenticatorData</a></code>
             <dd data-md="">
              <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">%ArrayBuffer%</a>, containing the bytes of the returned <code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-authenticatordata" id="ref-for-dom-authenticatorassertionresponse-authenticatordata-2">authenticatorData</a></code></p>
             <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-signature" id="ref-for-dom-authenticatorassertionresponse-signature-1">signature</a></code>
             <dd data-md="">
              <p>A new <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a></code>, created using <var>global</var>’s <a data-link-type="dfn" href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">%ArrayBuffer%</a>, containing the bytes of the returned <code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-signature" id="ref-for-dom-authenticatorassertionresponse-signature-2">signature</a></code></p>
            </dl>
           <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-clientextensionresults" id="ref-for-dom-publickeycredential-clientextensionresults-3">clientExtensionResults</a></code>
           <dd data-md="">
            <p>A new <code class="idl"><a data-link-type="idl" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-4">AuthenticationExtensions</a></code> object containing the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-3">extension identifier</a> → <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-4">client extension output</a> entries created by running each extension’s <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-5">client extension processing</a> algorithm to create the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-5">client
extension outputs</a>, for each <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension-2">client extension</a> in <code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-4">clientDataJSON</a></code>.clientExtensions.</p>
          </dl>
         <li data-md="">
          <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-iterate">For each</a> remaining <var>authenticator</var> in <var>issuedRequests</var> invoke the <a data-link-type="dfn" href="#authenticatorcancel" id="ref-for-authenticatorcancel-6">authenticatorCancel</a> operation on <var>authenticator</var> and <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-remove">remove</a> it from <var>issuedRequests</var>.</p>
         <li data-md="">
          <p>Return <var>value</var> and terminate this algorithm.</p>
        </ol>
      </dl>
     <li data-md="">
      <p>Return a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a></code> whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror">NotAllowedError</a></code>".</p>
    </ol>
    <p>During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator with which to complete the operation.</p>
   </div>
   <h3 class="heading settled" data-level="4.2" id="iface-authenticatorresponse"><span class="secno">4.2. </span><span class="content">Authenticator Responses (interface <dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export="" id="authenticatorresponse">AuthenticatorResponse</dfn>)</span><a class="self-link" href="#iface-authenticatorresponse"></a></h3>
   <p><a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-22">Authenticators</a> respond to relying party requests by returning an object derived from the <code class="idl"><a data-link-type="idl" href="#authenticatorresponse" id="ref-for-authenticatorresponse-3">AuthenticatorResponse</a></code> interface:</p>
<pre class="idl highlight def">[<a class="nv idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext">SecureContext</a>]
<span class="kt">interface</span> <a class="nv idl-code" data-link-type="interface" href="#authenticatorresponse" id="ref-for-authenticatorresponse-4">AuthenticatorResponse</a> {
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="ArrayBuffer" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-5">clientDataJSON</a>;
};
</pre>
   <div>
    <dl>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorResponse" data-dfn-type="attribute" data-export="" id="dom-authenticatorresponse-clientdatajson">clientDataJSON</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a>, readonly</span>
     <dd data-md="">
      <p>This attribute contains a <a data-link-type="dfn" href="#collectedclientdata-json-serialized-client-data" id="ref-for-collectedclientdata-json-serialized-client-data-3">JSON serialization</a> of the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-1">client data</a> passed to the
authenticator by the client in its call to either <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code>.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="4.2.1" id="iface-authenticatorattestationresponse"><span class="secno">4.2.1. </span><span class="content">Information about Public Key Credential (interface <dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export="" id="authenticatorattestationresponse">AuthenticatorAttestationResponse</dfn>)</span><a class="self-link" href="#iface-authenticatorattestationresponse"></a></h4>
   <p>The <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse-4">AuthenticatorAttestationResponse</a></code> interface represents the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-23">authenticator</a>'s response to a client’s request
for the creation of a new <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-15">public key credential</a>. It contains information about the new credential that can be used to
identify it for later use, and metadata that can be used by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-24">Relying Party</a> to assess the characteristics of the credential
during registration.</p>
<pre class="idl highlight def">[<a class="nv idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext">SecureContext</a>]
<span class="kt">interface</span> <a class="nv idl-code" data-link-type="interface" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse-5">AuthenticatorAttestationResponse</a> : <a class="n" data-link-type="idl-name" href="#authenticatorresponse" id="ref-for-authenticatorresponse-5">AuthenticatorResponse</a> {
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="ArrayBuffer" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject-2">attestationObject</a>;
};
</pre>
   <div>
    <dl>
     <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-6">clientDataJSON</a></code>
     <dd data-md="">
      <p>This attribute, inherited from <code class="idl"><a data-link-type="idl" href="#authenticatorresponse" id="ref-for-authenticatorresponse-6">AuthenticatorResponse</a></code>, contains the <a data-link-type="dfn" href="#collectedclientdata-json-serialized-client-data" id="ref-for-collectedclientdata-json-serialized-client-data-4">JSON-serialized client data</a> (see <a href="#cred-attestation">§5.3 Credential Attestation</a>) passed to the authenticator by the client in order to generate this credential. The
exact JSON serialization must be preserved, as the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-5">hash of the serialized client data</a> has been computed
over it.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAttestationResponse" data-dfn-type="attribute" data-export="" id="dom-authenticatorattestationresponse-attestationobject">attestationObject</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a>, readonly</span>
     <dd data-md="">
      <p>This attribute contains an <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-2">attestation object</a>, which is opaque to, and cryptographically protected against
tampering by, the client. The <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-3">attestation object</a> contains both <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-1">authenticator data</a> and an attestation
statement. The former contains the AAGUID, a unique credential ID, and the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key-2">credential public key</a>. The
contents of the attestation statement are determined by the <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format-2">attestation statement format</a> used by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-24">authenticator</a>. It also contains any additional information that the Relying Party’s server requires to validate the
attestation statement, as well as to decode and validate the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-2">authenticator data</a> along with the <a data-link-type="dfn" href="#collectedclientdata-json-serialized-client-data" id="ref-for-collectedclientdata-json-serialized-client-data-5">JSON-serialized client data</a>. For more details, see <a href="#cred-attestation">§5.3 Credential Attestation</a> as well as <a href="#fig-attStructs">Figure 3</a>.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="4.2.2" id="iface-authenticatorassertionresponse"><span class="secno">4.2.2. </span><span class="content">Web Authentication Assertion (interface <dfn class="dfn-paneled idl-code" data-dfn-type="interface" data-export="" id="authenticatorassertionresponse">AuthenticatorAssertionResponse</dfn>)</span><a class="self-link" href="#iface-authenticatorassertionresponse"></a></h4>
   <p>The <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse-4">AuthenticatorAssertionResponse</a></code> interface represents an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-25">authenticator</a>'s response to a client’s request for
generation of a new <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion-6">authentication assertion</a> given the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-25">Relying Party</a>'s challenge and optional list of credentials it is
aware of. This response contains a cryptographic signature proving possession of the <a data-link-type="dfn" href="#credential-private-key" id="ref-for-credential-private-key-4">credential private key</a>, and
optionally evidence of <a data-link-type="dfn" href="#user-consent" id="ref-for-user-consent-5">user consent</a> to a specific transaction.</p>
<pre class="idl highlight def">[<a class="nv idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext">SecureContext</a>]
<span class="kt">interface</span> <a class="nv idl-code" data-link-type="interface" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse-5">AuthenticatorAssertionResponse</a> : <a class="n" data-link-type="idl-name" href="#authenticatorresponse" id="ref-for-authenticatorresponse-7">AuthenticatorResponse</a> {
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="ArrayBuffer" href="#dom-authenticatorassertionresponse-authenticatordata" id="ref-for-dom-authenticatorassertionresponse-authenticatordata-3">authenticatorData</a>;
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="ArrayBuffer" href="#dom-authenticatorassertionresponse-signature" id="ref-for-dom-authenticatorassertionresponse-signature-3">signature</a>;
};
</pre>
   <div>
    <dl>
     <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-7">clientDataJSON</a></code>
     <dd data-md="">
      <p>This attribute, inherited from <code class="idl"><a data-link-type="idl" href="#authenticatorresponse" id="ref-for-authenticatorresponse-8">AuthenticatorResponse</a></code>, contains the <a data-link-type="dfn" href="#collectedclientdata-json-serialized-client-data" id="ref-for-collectedclientdata-json-serialized-client-data-6">JSON-serialized client data</a> (see <a href="#sec-client-data">§4.8.1 Client data used in WebAuthn signatures (dictionary CollectedClientData)</a>) passed to the authenticator by the client in order to generate this assertion. The
exact JSON serialization must be preserved, as the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-6">hash of the serialized client data</a> has been computed
over it.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAssertionResponse" data-dfn-type="attribute" data-export="" id="dom-authenticatorassertionresponse-authenticatordata">authenticatorData</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a>, readonly</span>
     <dd data-md="">
      <p>This attribute contains the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-3">authenticator data</a> returned by the authenticator. See <a href="#sec-authenticator-data">§5.1 Authenticator data</a>.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorAssertionResponse" data-dfn-type="attribute" data-export="" id="dom-authenticatorassertionresponse-signature">signature</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a>, readonly</span>
     <dd data-md="">
      <p>This attribute contains the raw signature returned from the authenticator. See <a href="#op-get-assertion">§5.2.2 The authenticatorGetAssertion operation</a>.</p>
    </dl>
   </div>
   <h3 class="heading settled" data-level="4.3" id="credential-params"><span class="secno">4.3. </span><span class="content">Parameters for Credential Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-publickeycredentialparameters">PublicKeyCredentialParameters</dfn>)</span><a class="self-link" href="#credential-params"></a></h3>
<pre class="idl highlight def"><span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialparameters" id="ref-for-dictdef-publickeycredentialparameters-1">PublicKeyCredentialParameters</a> {
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype-3">PublicKeyCredentialType</a>  <a class="nv idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialType  " href="#dom-publickeycredentialparameters-type" id="ref-for-dom-publickeycredentialparameters-type-3">type</a>;
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="https://www.w3.org/TR/WebCryptoAPI/#dfn-AlgorithmIdentifierS">AlgorithmIdentifier</a>   <a class="nv idl-code" data-link-type="dict-member" data-type="AlgorithmIdentifier   " href="#dom-publickeycredentialparameters-algorithm" id="ref-for-dom-publickeycredentialparameters-algorithm-2">algorithm</a>;
};
</pre>
   <div>
     This dictionary is used to supply additional parameters when creating a new credential. 
    <p>The <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialParameters" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialparameters-type">type</dfn> member specifies the type of credential to be created.</p>
    <p>The <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialParameters" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialparameters-algorithm">algorithm</dfn> member specifies the cryptographic signature algorithm with which the newly generated credential
    will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.</p>
   </div>
   <h3 class="heading settled" data-level="4.4" id="sctn-user-credential-params"><span class="secno">4.4. </span><span class="content">User Account Parameters for Credential Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</dfn>)</span><a class="self-link" href="#sctn-user-credential-params"></a></h3>
<pre class="idl highlight def"><span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity-1">PublicKeyCredentialUserEntity</a> : <a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity-1">PublicKeyCredentialEntity</a> {
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a> <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname-2">displayName</a>;
};
</pre>
   <div>
     This dictionary is used to supply additional parameters about the user account when creating a new credential. 
    <p>The <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialUserEntity" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialuserentity-displayname">displayName</dfn> member contains a friendly name for the user account (e.g., "John P. Smith").</p>
   </div>
   <h3 class="heading settled" data-level="4.5" id="dictionary-makecredentialoptions"><span class="secno">4.5. </span><span class="content">Options for Credential Creation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-makecredentialoptions">MakeCredentialOptions</dfn>)</span><a class="self-link" href="#dictionary-makecredentialoptions"></a></h3>
<pre class="idl highlight def"><span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-makecredentialoptions" id="ref-for-dictdef-makecredentialoptions-3">MakeCredentialOptions</a> {
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity-2">PublicKeyCredentialEntity</a> <a class="nv idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialEntity " href="#dom-makecredentialoptions-rp" id="ref-for-dom-makecredentialoptions-rp-6">rp</a>;
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity-2">PublicKeyCredentialUserEntity</a> <a class="nv idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialUserEntity " href="#dom-makecredentialoptions-user" id="ref-for-dom-makecredentialoptions-user-5">user</a>;

    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a>                         <a class="nv idl-code" data-link-type="dict-member" data-type="BufferSource                         " href="#dom-makecredentialoptions-challenge" id="ref-for-dom-makecredentialoptions-challenge-2">challenge</a>;
    <span class="kt">required</span> <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialparameters" id="ref-for-dictdef-publickeycredentialparameters-2">PublicKeyCredentialParameters</a>> <a class="nv idl-code" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialParameters> " href="#dom-makecredentialoptions-parameters" id="ref-for-dom-makecredentialoptions-parameters-3">parameters</a>;

    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long"><span class="kt">unsigned</span> <span class="kt">long</span></a>                        <a class="nv idl-code" data-link-type="dict-member" data-type="unsigned long                        " href="#dom-makecredentialoptions-timeout" id="ref-for-dom-makecredentialoptions-timeout-3">timeout</a>;
    <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor-1">PublicKeyCredentialDescriptor</a>> <a class="nv idl-code" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialDescriptor> " href="#dom-makecredentialoptions-excludelist" id="ref-for-dom-makecredentialoptions-excludelist-2">excludeList</a>;
    <a class="n" data-link-type="idl-name" href="#dictdef-authenticatorselectioncriteria" id="ref-for-dictdef-authenticatorselectioncriteria-1">AuthenticatorSelectionCriteria</a>       <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticatorSelectionCriteria       " href="#dom-makecredentialoptions-authenticatorselection" id="ref-for-dom-makecredentialoptions-authenticatorselection-2">authenticatorSelection</a>;
    <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-5">AuthenticationExtensions</a>             <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticationExtensions             " href="#dom-makecredentialoptions-extensions" id="ref-for-dom-makecredentialoptions-extensions-3">extensions</a>;
};
</pre>
   <div>
    <dl>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="MakeCredentialOptions" data-dfn-type="dict-member" data-export="" id="dom-makecredentialoptions-rp">rp</dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity-3">PublicKeyCredentialEntity</a></span>
     <dd data-md="">
      <p>This member contains data about the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-26">relying party</a> responsible for the request.</p>
      <p>Its value’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name-3">name</a></code> member is required, and contains the friendly name of the relying party
(e.g. "Acme Corporation", "Widgets, Inc.", or "Awesome Site".</p>
      <p>Its value’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-5">id</a></code> member specifies the <a data-link-type="dfn" href="#relying-party-identifier" id="ref-for-relying-party-identifier-1">relying party identifier</a> with which the credential
should be associated. If this identifier is not explicitly set, it will default to the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin">ASCII serialization</a> of the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer">CredentialsContainer</a></code> object’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">relevant settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a>.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="MakeCredentialOptions" data-dfn-type="dict-member" data-export="" id="dom-makecredentialoptions-user">user</dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-publickeycredentialuserentity" id="ref-for-dictdef-publickeycredentialuserentity-3">PublicKeyCredentialUserEntity</a></span>
     <dd data-md="">
      <p>This member contains data about the user account for which the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-27">relying party</a> is requesting attestation.</p>
      <p>Its value’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name-4">name</a></code> member is required, and contains a name for the user account
(e.g., "john.p.smith@example.com" or "+14255551234").</p>
      <p>Its value’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialuserentity-displayname" id="ref-for-dom-publickeycredentialuserentity-displayname-3">displayName</a></code> member is required, and contains a friendly name for the user
account (e.g., "John P. Smith").</p>
      <p>Its value’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-6">id</a></code> member is required, and contains an identifier for the account, specified
by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-28">relying party</a>. This is not meant to be displayed to the user, but is used by the relying party to control the
number of credentials - an authenticator will never contain more than one credential for a given relying party under the
same <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-7">id</a></code>.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="MakeCredentialOptions" data-dfn-type="dict-member" data-export="" id="dom-makecredentialoptions-challenge">challenge</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a></span>
     <dd data-md="">
      <p>This member contains a challenge intended to be used for generating the newly created credential’s <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-4">attestation
object</a>.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="MakeCredentialOptions" data-dfn-type="dict-member" data-export="" id="dom-makecredentialoptions-parameters">parameters</dfn>, <span> of type sequence&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialparameters" id="ref-for-dictdef-publickeycredentialparameters-3">PublicKeyCredentialParameters</a>></span>
     <dd data-md="">
      <p>This member contains information about the desired properties of the credential to be created. The sequence is ordered
from most preferred to least preferred. The platform makes a best-effort to create the most preferred credential that it
can.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="MakeCredentialOptions" data-dfn-type="dict-member" data-export="" id="dom-makecredentialoptions-timeout">timeout</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-unsigned-long">unsigned long</a></span>
     <dd data-md="">
      <p>This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is
treated as a hint, and may be overridden by the platform.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="MakeCredentialOptions" data-dfn-type="dict-member" data-export="" id="dom-makecredentialoptions-excludelist">excludeList</dfn>, <span> of type sequence&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor-2">PublicKeyCredentialDescriptor</a>></span>
     <dd data-md="">
      <p>This member is intended for use by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-29">Relying Parties</a> that wish to limit the creation of multiple credentials for the same
account on a single authenticator. The platform is requested to return an error if the new credential would be created
on an authenticator that also contains one of the credentials enumerated in this parameter.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="MakeCredentialOptions" data-dfn-type="dict-member" data-export="" id="dom-makecredentialoptions-authenticatorselection">authenticatorSelection</dfn>, <span> of type <a data-link-type="idl-name" href="#dictdef-authenticatorselectioncriteria" id="ref-for-dictdef-authenticatorselectioncriteria-2">AuthenticatorSelectionCriteria</a></span>
     <dd data-md="">
      <p>This member is intended for use by <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-30">Relying Parties</a> that wish to select the appropriate authenticators to participate in
the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> operation.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="MakeCredentialOptions" data-dfn-type="dict-member" data-export="" id="dom-makecredentialoptions-extensions">extensions</dfn>, <span> of type <a data-link-type="idl-name" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-6">AuthenticationExtensions</a></span>
     <dd data-md="">
      <p>This member contains additional parameters requesting additional processing by the client and authenticator. For example,
the caller may request that only authenticators with certain capabilies be used to create the credential, or that
particular information be returned in the <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-5">attestation object</a>. Some extensions are defined in <a href="#extensions">§8 WebAuthn Extensions</a>;
consult the IANA "WebAuthn Extension Identifier" registry established by <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a> for an up-to-date list
of registered WebAuthn Extensions.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="4.5.1" id="dictionary-pkcredentialentity"><span class="secno">4.5.1. </span><span class="content">Entity Description</span><a class="self-link" href="#dictionary-pkcredentialentity"></a></h4>
   <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity-4">PublicKeyCredentialEntity</a></code> dictionary describes a user account or a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-31">relying party</a> with which a credential is
associated.</p>
<pre class="idl highlight def"><span class="kt">dictionary</span> <dfn class="nv dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-publickeycredentialentity">PublicKeyCredentialEntity</dfn> {
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a> <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-8">id</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a> <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-publickeycredentialentity-name" id="ref-for-dom-publickeycredentialentity-name-5">name</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString"><span class="kt">USVString</span></a> <a class="nv idl-code" data-link-type="dict-member" data-type="USVString " href="#dom-publickeycredentialentity-icon" id="ref-for-dom-publickeycredentialentity-icon-1">icon</a>;
};
</pre>
   <div>
    <dl>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialEntity" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialentity-id">id</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
     <dd data-md="">
      <p>A unique identifier for the entity. This will be the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin">ASCII serialization of an origin</a> for a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-32">relying party</a>,
and an arbitrary string specified by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-33">relying party</a> for user accounts.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialEntity" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialentity-name">name</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
     <dd data-md="">
      <p>A human-friendly identifier for the entity. For example, this could be a company name for a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-34">relying party</a>, or a
user’s name. This identifier is intended for display.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialEntity" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialentity-icon">icon</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-USVString">USVString</a></span>
     <dd data-md="">
      <p>A <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer">serialized</a> URL which resolves to an image associated with the entity. For example, this could be
a user’s avatar or a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-35">relying party</a>'s logo.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="4.5.2" id="authenticatorSelection"><span class="secno">4.5.2. </span><span class="content">Authenticator Selection Criteria</span><a class="self-link" href="#authenticatorSelection"></a></h4>
   <p><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-36">Relying Parties</a> may use the <code class="idl"><a data-link-type="idl" href="#dictdef-authenticatorselectioncriteria" id="ref-for-dictdef-authenticatorselectioncriteria-3">AuthenticatorSelectionCriteria</a></code> dictionary to specify their requirements regarding authenticator attributes.</p>
<pre class="idl highlight def"><span class="kt">dictionary</span> <dfn class="nv dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-authenticatorselectioncriteria">AuthenticatorSelectionCriteria</dfn> {
    <a class="n" data-link-type="idl-name" href="#enumdef-attachment" id="ref-for-enumdef-attachment-1">Attachment</a>    <a class="nv idl-code" data-link-type="dict-member" data-type="Attachment    " href="#dom-authenticatorselectioncriteria-attachment" id="ref-for-dom-authenticatorselectioncriteria-attachment-2">attachment</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><span class="kt">boolean</span></a>       <a class="nv idl-code" data-default="false" data-link-type="dict-member" data-type="boolean       " href="#dom-authenticatorselectioncriteria-requireresidentkey" id="ref-for-dom-authenticatorselectioncriteria-requireresidentkey-2">requireResidentKey</a> = <span class="kt">false</span>;
};
</pre>
   <div>
    <dl>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorSelectionCriteria" data-dfn-type="dict-member" data-export="" id="dom-authenticatorselectioncriteria-attachment">attachment</dfn>, <span> of type <a data-link-type="idl-name" href="#enumdef-attachment" id="ref-for-enumdef-attachment-2">Attachment</a></span>
     <dd data-md="">
      <p>If this memeber is <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-present">present</a>, eligible authenticators are filtered to only authenticators attached with the
specified <a href="#attachment">§4.5.3 Credential Attachment enumeration (enum Attachment)</a>.</p>
     <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="AuthenticatorSelectionCriteria" data-dfn-type="dict-member" data-export="" id="dom-authenticatorselectioncriteria-requireresidentkey">requireResidentKey</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-boolean">boolean</a>, defaulting to <code>false</code></span>
     <dd data-md="">
      <p>This member describes the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-37">Relying Parties</a>' requirements regarding availability of the <a data-link-type="dfn" href="#client-side-resident-credential-private-key" id="ref-for-client-side-resident-credential-private-key-4">Client-side-resident Credential
Private Key</a>. If the parameter is set to true, the authenticator MUST create a <a data-link-type="dfn" href="#client-side-resident-credential-private-key" id="ref-for-client-side-resident-credential-private-key-5">Client-side-resident Credential Private Key</a> when creating a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-16">public key credential</a>.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="4.5.3" id="attachment"><span class="secno">4.5.3. </span><span class="content">Credential Attachment enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export="" id="enumdef-attachment">Attachment</dfn>)</span><a class="self-link" href="#attachment"></a></h4>
<pre class="idl highlight def"><span class="kt">enum</span> <a class="nv idl-code" data-link-type="enum" href="#enumdef-attachment" id="ref-for-enumdef-attachment-3">Attachment</a> {
    <dfn class="s idl-code" data-dfn-for="Attachment" data-dfn-type="enum-value" data-export="" data-lt="&quot;platform&quot;|platform" id="dom-attachment-platform">"platform"<a class="self-link" href="#dom-attachment-platform"></a></dfn>,
    <dfn class="s idl-code" data-dfn-for="Attachment" data-dfn-type="enum-value" data-export="" data-lt="&quot;cross-platform&quot;|cross-platform" id="dom-attachment-cross-platform">"cross-platform"<a class="self-link" href="#dom-attachment-cross-platform"></a></dfn>
};
</pre>
   <p>Clients may communicate with authenticators using a variety of mechanisms. For example, a client may use a platform-specific
API to communicate with an authenticator which is physically bound to a platform. On the other hand, a client may use a
variety of standardized cross-platform transport protocols such as Bluetooth (see <a href="#transport">§4.8.4 Credential Transport enumeration (enum ExternalTransport)</a>) to discover and
communicate with <a data-link-type="dfn" href="#cross-platform-attached" id="ref-for-cross-platform-attached-1">cross-platform attached</a> authenticators. Therefore, we use <code class="idl"><a data-link-type="idl" href="#enumdef-attachment" id="ref-for-enumdef-attachment-4">Attachment</a></code> to describe an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-26">authenticator</a>'s <dfn data-dfn-type="dfn" data-noexport="" id="attachment-modality">attachment modality<a class="self-link" href="#attachment-modality"></a></dfn>. We define authenticators that are part of the client’s
platform as having a <a data-link-type="dfn" href="#platform-attachment" id="ref-for-platform-attachment-1">platform attachment</a>, and refer to them as <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="platform-authenticators">platform authenticators</dfn>. While those that
are reachable via cross-platform transport protocols are defined as having <a data-link-type="dfn" href="#cross-platform-attached" id="ref-for-cross-platform-attached-2">cross-platform attachment</a>, and refer to
them as <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="roaming-authenticators">roaming authenticators</dfn>.</p>
   <ul>
    <li><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="platform-attachment">platform attachment</dfn> - the respective authenticator is attached
        using platform-specific transports.  Usually, authenticators of
        this class are non-removable from the platform. 
    <li><dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="cross-platform attached|cross-platform attachment" data-noexport="" id="cross-platform-attached">cross-platform attachment</dfn> - the respective
        authenticator is attached using cross-platform transports. Authenticators of this class are removable from, and can
        "roam" among, client platforms. 
   </ul>
   <p>This distinction is important because there are use-cases where only <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators-1">platform authenticators</a> are acceptable to a
Relying Party, and conversely ones where only <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators-2">roaming authenticators</a> are employed. As a concrete example of the former, a
credential on a <a data-link-type="dfn" href="#platform-authenticators" id="ref-for-platform-authenticators-2">platform authenticator</a> may be used by Relying Parties to quickly and conveniently reauthenticate the user with
a minimum of friction, e.g., the user will not have to dig around in their pocket for their key fob or phone. As a concrete
example of the latter, when the user is accessing the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-38">Relying Party</a> from a given client for the first time, they may be required to
use a <a data-link-type="dfn" href="#roaming-authenticators" id="ref-for-roaming-authenticators-3">roaming authenticator</a> which was originally registered with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-39">Relying Party</a> using a different client.</p>
   <h3 class="heading settled" data-level="4.6" id="assertion-options"><span class="secno">4.6. </span><span class="content">Options for Assertion Generation (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-publickeycredentialrequestoptions">PublicKeyCredentialRequestOptions</dfn>)</span><a class="self-link" href="#assertion-options"></a></h3>
   <p>The <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions-2">PublicKeyCredentialRequestOptions</a></code> dictionary supplies <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> with the data it needs to generate
an assertion. Its <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge-2">challenge</a></code> member must be present, while its other members are optional.</p>
<pre class="idl highlight def"><span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions-3">PublicKeyCredentialRequestOptions</a> {
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a>                <a class="nv idl-code" data-link-type="dict-member" data-type="BufferSource                " href="#dom-publickeycredentialrequestoptions-challenge" id="ref-for-dom-publickeycredentialrequestoptions-challenge-3">challenge</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long"><span class="kt">unsigned</span> <span class="kt">long</span></a>                        <a class="nv idl-code" data-link-type="dict-member" data-type="unsigned long                        " href="#dom-publickeycredentialrequestoptions-timeout" id="ref-for-dom-publickeycredentialrequestoptions-timeout-3">timeout</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString"><span class="kt">USVString</span></a>                            <a class="nv idl-code" data-link-type="dict-member" data-type="USVString                            " href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid-4">rpId</a>;
    <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor-3">PublicKeyCredentialDescriptor</a>> <a class="nv idl-code" data-default="None" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialDescriptor> " href="#dom-publickeycredentialrequestoptions-allowlist" id="ref-for-dom-publickeycredentialrequestoptions-allowlist-5">allowList</a> = [];
    <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-7">AuthenticationExtensions</a>             <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticationExtensions             " href="#dom-publickeycredentialrequestoptions-extensions" id="ref-for-dom-publickeycredentialrequestoptions-extensions-3">extensions</a>;
};
</pre>
   <dl>
    <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialrequestoptions-challenge">challenge</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a></span>
    <dd data-md="">
     <p>This member represents a challenge that the selected <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-27">authenticator</a> signs, along with other data, when producing an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion-7">authentication assertion</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialrequestoptions-timeout">timeout</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-unsigned-long">unsigned long</a></span>
    <dd data-md="">
     <p>This optional member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete.
The value is treated as a hint, and may be overridden by the platform.</p>
    <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialrequestoptions-rpid">rpId</dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-USVString">USVString</a></span>
    <dd data-md="">
     <p>This optional member specifies the <a data-link-type="dfn" href="#relying-party-identifier" id="ref-for-relying-party-identifier-2">relying party identifier</a> claimed by the caller. If omitted, its value will
be the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin">ASCII serialization</a> of the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer">CredentialsContainer</a></code> object’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">relevant
settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a>.</p>
    <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialrequestoptions-allowlist">allowList</dfn>, <span> of type sequence&lt;<a data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor-4">PublicKeyCredentialDescriptor</a>>, defaulting to <code>None</code></span>
    <dd data-md="">
     <p>This optional member contains a list of <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor-5">PublicKeyCredentialDescriptor</a></code> object representing <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-17">public key credentials</a> acceptable to the caller, in decending order of the caller’s preference (the first item in the list is the most
preferred credential, and so on down the line).</p>
    <dt data-md=""><dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialRequestOptions" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialrequestoptions-extensions">extensions</dfn>, <span> of type <a data-link-type="idl-name" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-8">AuthenticationExtensions</a></span>
    <dd data-md="">
     <p>This optional member contains additional parameters requesting additional processing by the client and authenticator.
For example, if transaction confirmation is sought from the user, then the prompt string might be included as an
extension.</p>
   </dl>
   <h3 class="heading settled" data-level="4.7" id="iface-authentication-extensions"><span class="secno">4.7. </span><span class="content">Authentication Extensions (typedef <dfn data-dfn-type="dfn" data-noexport="" id="authenticationextensions">AuthenticationExtensions<a class="self-link" href="#authenticationextensions"></a></dfn>)</span><a class="self-link" href="#iface-authentication-extensions"></a></h3>
<pre class="idl highlight def"><span class="kt">typedef</span> <span class="kt">record</span>&lt;<span class="kt">DOMString</span>, <span class="kt">any</span>> <dfn class="nv dfn-paneled idl-code" data-dfn-type="typedef" data-export="" id="typedefdef-authenticationextensions">AuthenticationExtensions</dfn>;
</pre>
   <p>This is a dictionary containing zero or more WebAuthn extensions, as defined in <a href="#extensions">§8 WebAuthn Extensions</a>.
An AuthenticationExtensions instance can contain either <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension-3">client extensions</a> or <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-3">authenticator extensions</a>, depending upon
context.</p>
   <h3 class="heading settled" data-level="4.8" id="supporting-data-structures"><span class="secno">4.8. </span><span class="content">Supporting Data Structures</span><a class="self-link" href="#supporting-data-structures"></a></h3>
   <p>The <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-18">public key credential</a> type uses certain data structures that are specified in supporting specifications. These are as
follows.</p>
   <h4 class="heading settled" data-level="4.8.1" id="sec-client-data"><span class="secno">4.8.1. </span><span class="content">Client data used in WebAuthn signatures (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-collectedclientdata">CollectedClientData</dfn>)</span><a class="self-link" href="#sec-client-data"></a></h4>
   <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="client-data">client data</dfn> represents the contextual bindings of both the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-40">Relying Party</a> and the client platform. It is a key-value
mapping with string-valued keys. Values may be any type that has a valid encoding in JSON. Its structure is defined by the
following Web IDL.</p>
<pre class="idl highlight def"><span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata-3">CollectedClientData</a> {
    <span class="kt">required</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a>           <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge-3">challenge</a>;
    <span class="kt">required</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a>           <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin-3">origin</a>;
    <span class="kt">required</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a>           <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-hashalg" id="ref-for-dom-collectedclientdata-hashalg-3">hashAlg</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a>                    <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding-3">tokenBinding</a>;
    <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-9">AuthenticationExtensions</a>     <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticationExtensions     " href="#dom-collectedclientdata-clientextensions" id="ref-for-dom-collectedclientdata-clientextensions-3">clientExtensions</a>;
    <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions" id="ref-for-typedefdef-authenticationextensions-10">AuthenticationExtensions</a>     <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticationExtensions     " href="#dom-collectedclientdata-authenticatorextensions" id="ref-for-dom-collectedclientdata-authenticatorextensions-3">authenticatorExtensions</a>;
};
</pre>
   <div>
     The <dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export="" id="dom-collectedclientdata-challenge">challenge</dfn> member contains the base64url encoding of the challenge provided by the RP. 
    <p>The <dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export="" id="dom-collectedclientdata-origin">origin</dfn> member contains the fully qualified <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a> of the requester, as provided to the authenticator by
    the client, in the syntax defined by <a data-link-type="biblio" href="#biblio-rfc6454">[RFC6454]</a>.</p>
    <p>The <dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export="" id="dom-collectedclientdata-hashalg">hashAlg</dfn> member is a <a data-link-type="dfn" href="https://www.w3.org/TR/WebCryptoAPI/#recognized-algorithm-name">recognized algorithm name</a> that supports the <code>"digest"</code> operation, which specifies the
    algorithm used to compute the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-7">hash of the serialized client data</a>. This algorithm is chosen by the client at its sole
    discretion.</p>
    <p>The <dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export="" id="dom-collectedclientdata-tokenbinding">tokenBinding</dfn> member contains the base64url encoding of the <a data-link-type="dfn" href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol#section-3.2">Token Binding ID</a> that this client uses for the <a data-link-type="dfn" href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol#token-binding">Token Binding</a> protocol when communicating with the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-41">Relying Party</a>. This can be omitted if no <a data-link-type="dfn" href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol#token-binding">Token Binding</a> has been negotiated
    between the client and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-42">Relying Party</a>.</p>
    <p>The optional <dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export="" id="dom-collectedclientdata-clientextensions">clientExtensions</dfn> and <dfn class="dfn-paneled idl-code" data-dfn-for="CollectedClientData" data-dfn-type="dict-member" data-export="" id="dom-collectedclientdata-authenticatorextensions">authenticatorExtensions</dfn> members contain additional parameters
    generated by processing the extensions passed in
    by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-43">Relying Party</a>. WebAuthn extensions are detailed in Section <a href="#extensions">§8 WebAuthn Extensions</a>.</p>
    <p>This structure is used by the client to compute the following quantities:</p>
    <dl>
     <dt data-md=""><dfn class="dfn-paneled" data-dfn-for="CollectedClientData" data-dfn-type="dfn" data-noexport="" id="collectedclientdata-json-serialized-client-data">JSON-serialized client data</dfn>
     <dd data-md="">
      <p>This is the <a data-link-type="dfn" href="https://encoding.spec.whatwg.org/#utf-8-encode">UTF-8 encoding</a> of the result of calling the initial value of <code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262/#sec-json.stringify">JSON.stringify</a></code> on a <code class="idl"><a data-link-type="idl" href="#dictdef-collectedclientdata" id="ref-for-dictdef-collectedclientdata-4">CollectedClientData</a></code> dictionary.</p>
     <dt data-md=""><dfn class="dfn-paneled" data-dfn-for="CollectedClientData" data-dfn-type="dfn" data-noexport="" id="collectedclientdata-hash-of-the-serialized-client-data">Hash of the serialized client data</dfn>
     <dd data-md="">
      <p>This is the hash (computed using <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-hashalg" id="ref-for-dom-collectedclientdata-hashalg-4">hashAlg</a></code>) of the <a data-link-type="dfn" href="#collectedclientdata-json-serialized-client-data" id="ref-for-collectedclientdata-json-serialized-client-data-7">JSON-serialized client data</a>, as constructed by the client.</p>
    </dl>
   </div>
   <h4 class="heading settled" data-level="4.8.2" id="credentialType"><span class="secno">4.8.2. </span><span class="content">Credential Type enumeration (enum <dfn class="dfn-paneled idl-code" data-dfn-type="enum" data-export="" id="enumdef-publickeycredentialtype">PublicKeyCredentialType</dfn>)</span><a class="self-link" href="#credentialType"></a></h4>
<pre class="idl highlight def"><span class="kt">enum</span> <a class="nv idl-code" data-link-type="enum" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype-4">PublicKeyCredentialType</a> {
    <a class="s idl-code" data-link-type="enum-value" href="#dom-publickeycredentialtype-public-key" id="ref-for-dom-publickeycredentialtype-public-key-1">"public-key"</a>
};
</pre>
   <div>
     This enumeration defines the valid credential types. It is an extension point; values may be added to it in the future, as
    more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and
    attestation structures according to the type of the authenticator. 
    <p>Currently one credential type is defined, namely "<dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialType" data-dfn-type="enum-value" data-export="" id="dom-publickeycredentialtype-public-key">public-key</dfn>".</p>
   </div>
   <h4 class="heading settled" data-level="4.8.3" id="credential-dictionary"><span class="secno">4.8.3. </span><span class="content">Credential Descriptor (dictionary <dfn class="dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-publickeycredentialdescriptor">PublicKeyCredentialDescriptor</dfn>)</span><a class="self-link" href="#credential-dictionary"></a></h4>
<pre class="idl highlight def"><span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialdescriptor" id="ref-for-dictdef-publickeycredentialdescriptor-6">PublicKeyCredentialDescriptor</a> {
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype-5">PublicKeyCredentialType</a> <a class="nv idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialType " href="#dom-publickeycredentialdescriptor-type" id="ref-for-dom-publickeycredentialdescriptor-type-2">type</a>;
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a> <a class="nv idl-code" data-link-type="dict-member" data-type="BufferSource " href="#dom-publickeycredentialdescriptor-id" id="ref-for-dom-publickeycredentialdescriptor-id-2">id</a>;
    <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#enumdef-transport" id="ref-for-enumdef-transport-1">Transport</a>>   <dfn class="nv dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialDescriptor" data-dfn-type="dict-member" data-export="" data-type="sequence<Transport>   " id="dom-publickeycredentialdescriptor-transports">transports</dfn>;
};
</pre>
   <p>This dictionary contains the attributes that are specified by a caller when referring to a credential as an input parameter to
the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> methods. It mirrors the fields of the <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-18">PublicKeyCredential</a></code> object returned by the latter methods.</p>
   <div>
     The <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialDescriptor" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialdescriptor-type">type</dfn> member contains the type of the credential the caller is referring to. 
    <p>The <dfn class="dfn-paneled idl-code" data-dfn-for="PublicKeyCredentialDescriptor" data-dfn-type="dict-member" data-export="" id="dom-publickeycredentialdescriptor-id">id</dfn> member contains the identifier of the credential that the caller is referring to.</p>
   </div>
   <h4 class="heading settled" data-level="4.8.4" id="transport"><span class="secno">4.8.4. </span><span class="content">Credential Transport enumeration (enum <dfn class="idl-code" data-dfn-type="enum" data-export="" id="enumdef-externaltransport">ExternalTransport<a class="self-link" href="#enumdef-externaltransport"></a></dfn>)</span><a class="self-link" href="#transport"></a></h4>
<pre class="idl highlight def"><span class="kt">enum</span> <dfn class="nv dfn-paneled idl-code" data-dfn-type="enum" data-export="" id="enumdef-transport">Transport</dfn> {
    <a class="s idl-code" data-link-type="enum-value" href="#dom-transport-usb" id="ref-for-dom-transport-usb-1">"usb"</a>,
    <a class="s idl-code" data-link-type="enum-value" href="#dom-transport-nfc" id="ref-for-dom-transport-nfc-1">"nfc"</a>,
    <a class="s idl-code" data-link-type="enum-value" href="#dom-transport-ble" id="ref-for-dom-transport-ble-1">"ble"</a>
};
</pre>
   <div>
     Authenticators may communicate with Clients using a variety of transports. This enumeration defines a hint as to how Clients
    might communicate with a particular Authenticator in order to obtain an assertion for a specific credential.  Note that
    these hints represent the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-44">Relying Party</a>'s best belief as to how an Authenticator may be reached.  A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-45">Relying Party</a> may obtain a list of
    transports hints from some attestation statement formats or via some out-of-band mechanism; it is outside the scope of this
    specification to define that mechanism. 
    <ul>
     <li><dfn class="dfn-paneled idl-code" data-dfn-for="Transport" data-dfn-type="enum-value" data-export="" id="dom-transport-usb">usb</dfn> - the respective Authenticator may be contacted over USB. 
     <li><dfn class="dfn-paneled idl-code" data-dfn-for="Transport" data-dfn-type="enum-value" data-export="" id="dom-transport-nfc">nfc</dfn> - the respective Authenticator may be contacted over Near Field Communication (NFC). 
     <li><dfn class="dfn-paneled idl-code" data-dfn-for="Transport" data-dfn-type="enum-value" data-export="" id="dom-transport-ble">ble</dfn> - the respective Authenticator may be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE). 
    </ul>
   </div>
   <h4 class="heading settled" data-level="4.8.5" id="alg-identifier"><span class="secno">4.8.5. </span><span class="content">Cryptographic Algorithm Identifier (type <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/WebCryptoAPI/#dfn-AlgorithmIdentifierS">AlgorithmIdentifier</a></code>)</span><a class="self-link" href="#alg-identifier"></a></h4>
   <p>A string or dictionary identifying a cryptographic algorithm and optionally a set of parameters for that algorithm. This type is
defined in <a data-link-type="biblio" href="#biblio-webcryptoapi">[WebCryptoAPI]</a>.</p>
   <h2 class="heading settled" data-level="5" id="authenticator-model"><span class="secno">5. </span><span class="content">WebAuthn Authenticator model</span><a class="self-link" href="#authenticator-model"></a></h2>
   <p>The API defined in this specification implies a specific abstract functional model for an <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-28">authenticator</a>. This section
describes the authenticator model.</p>
   <p>Client platforms may implement and expose this abstract model in any way desired. However, the behavior of the client’s Web
Authentication API implementation, when operating on the authenticators supported by that platform, MUST be indistinguishable
from the behavior specified in <a href="#api">§4 Web Authentication API</a>.</p>
   <p>For authenticators, this model defines the logical operations that they must support, and the data formats that they expose to
the client and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-46">Relying Party</a>. However, it does not define the details of how authenticators communicate with the client platform,
unless they are required for interoperability with Relying Parties. For instance, this abstract model does not define protocols for
connecting authenticators to clients over transports such as USB or NFC. Similarly, this abstract model does not define specific
error codes or methods of returning them; however, it does define error behavior in terms of the needs of the client. Therefore,
specific error codes are mentioned as a means of showing which error conditions must be distinguishable (or not) from each other
in order to enable a compliant and secure client implementation.</p>
   <p>In this abstract model, the authenticator provides key management and cryptographic signatures. It may be embedded in the
WebAuthn client, or housed in a separate device entirely. The authenticator may itself contain a cryptographic module which
operates at a higher security level than the rest of the authenticator. This is particularly important for authenticators that
are embedded in the WebAuthn client, as in those cases this cryptographic module (which may, for example, be a TPM) could be
considered more trustworthy than the rest of the authenticator.</p>
   <p>Each authenticator stores some number of <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-19">public key credentials</a>. Each <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-20">public key credential</a> has an identifier which is
unique (or extremely unlikely to be duplicated) among all <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-21">public key credentials</a>. Each credential is also associated with a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-47">Relying Party</a>, whose identity is represented by a <a data-link-type="dfn" href="#relying-party-identifier" id="ref-for-relying-party-identifier-3">Relying Party Identifier</a> (<a data-link-type="dfn" href="#rp-id" id="ref-for-rp-id-3">RP ID</a>).</p>
   <p>Each authenticator has an AAGUID, which is a 128-bit identifier that indicates the type (e.g. make and model) of the
authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators
made by that manufacturer, and different (with probability 1-2<sup>-128</sup> or greater) from the AAGUIDs of all other types of
authenticators. The RP MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and
strength of key protection, using information from other sources.</p>
   <p>The primary function of the authenticator is to provide WebAuthn signatures, which are bound to various contextual data. These
data are observed, and added at different levels of the stack as a signature request passes from the server to the
authenticator. In verifying a signature, the server checks these bindings against expected values. These contextual bindings
are divided in two: Those added by the RP or the client, referred to as <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-2">client data</a>; and those added by the authenticator,
referred to as the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-4">authenticator data</a>. The authenticator signs over the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-3">client data</a>, but is otherwise not interested in
its contents. To save bandwidth and processing requirements on the authenticator, the client hashes the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-4">client data</a> and
sends only the result to the authenticator. The authenticator signs over the combination of the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-8">hash of the serialized client data</a>, and its own <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-5">authenticator data</a>.</p>
   <p>The goals of this design can be summarized as follows.</p>
   <ul>
    <li data-md="">
     <p>The scheme for generating signatures should accommodate cases where the link between the client platform and authenticator
is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.</p>
    <li data-md="">
     <p>The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators
should not have to parse high-level encodings such as JSON.</p>
    <li data-md="">
     <p>Both the client platform and the authenticator should have the flexibility to add contextual bindings as needed.</p>
    <li data-md="">
     <p>The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.</p>
   </ul>
   <p>Authenticators produce cryptographic signatures for two distinct purposes:</p>
   <ol>
    <li data-md="">
     <p>An <dfn data-dfn-type="dfn" data-noexport="" id="attestation-signature">attestation signature<a class="self-link" href="#attestation-signature"></a></dfn> is produced when a new credential is created, and provides cryptographic proof of certain
properties of the credential and the authenticator. For instance, an attestation signature asserts the type of authenticator
(as denoted by its AAGUID) and the public key of the credential. The attestation signature is signed by an attestation key,
which is chosen depending on the type of attestation desired. For more details on attestation, see <a href="#cred-attestation">§5.3 Credential Attestation</a>.</p>
    <li data-md="">
     <p>An <dfn data-dfn-type="dfn" data-noexport="" id="assertion-signature">assertion signature<a class="self-link" href="#assertion-signature"></a></dfn> is produced when the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-7">authenticatorGetAssertion</a> method is invoked. It represents an
assertion by the authenticator that the user has consented to a specific transaction, such as logging in, or completing a
purchase. Thus, an assertion signature asserts that the authenticator which possesses a particular credential private key
has established, to the best of its ability, that the human who is requesting this transaction is the same human who
consented to creating that particular credential. It also provides additional information that might be useful to the
caller, such as the means by which user consent was provided, and the prompt that was shown to the user by the
authenticator.</p>
   </ol>
   <p>The formats of these signatures, as well as the procedures for generating them, are specified below.</p>
   <h3 class="heading settled" data-level="5.1" id="sec-authenticator-data"><span class="secno">5.1. </span><span class="content">Authenticator data</span><a class="self-link" href="#sec-authenticator-data"></a></h3>
   <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticator-data">authenticator data</dfn> structure encodes contextual bindings made by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-29">authenticator</a>. These bindings are
controlled by the authenticator itself, and derive their trust from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-48">Relying Party</a>'s assessment of the security properties of the
authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy
than the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-5">client data</a>. At the other extreme, the authenticator may be a discrete entity with high-security hardware and
software, connected to the client over a secure channel. In both cases, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-49">Relying Party</a> receives the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-6">authenticator data</a> in the same
format, and uses its knowledge of the authenticator to make trust decisions.</p>
   <p>The <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-7">authenticator data</a> has a compact but extensible encoding. This is desired since authenticators can be devices with
limited capabilities and low power requirements, with much simpler software stacks than the client platform components.</p>
   <p>The <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-8">authenticator data</a> structure is a byte array of 37 bytes or more, as follows.</p>
   <table class="complex data longlastcol">
    <tbody>
     <tr>
      <th>Length (in bytes)
      <th>Description
     <tr>
      <td>32
      <td> SHA-256 hash of the RP ID associated with the credential. 
     <tr>
      <td>1
      <td>
        Flags (bit 0 is the least significant bit): 
       <ul>
        <li data-md="">
         <p>Bit 0: <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence-3">Test of User Presence</a> (<code>TUP</code>) result.</p>
        <li data-md="">
         <p>Bits 1-5: Reserved for future use (<code>RFU</code>).</p>
        <li data-md="">
         <p>Bit 6: <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-1">Attestation data</a> included (<code>AT</code>). Indicates whether the authenticator added <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-2">attestation data</a>.</p>
        <li data-md="">
         <p>Bit 7: Extension data included (<code>ED</code>). Indicates if the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-9">authenticator data</a> has extensions.</p>
       </ul>
     <tr>
      <td>4
      <td>Signature counter (<code>signCount</code>), 32-bit unsigned big-endian integer.
     <tr>
      <td>variable (if present)
      <td> <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-3">attestation data</a> (if present). See <a href="#sec-attestation-data">§5.3.1 Attestation data</a> for details. Its length depends on the length of
            the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key-3">credential public key</a> and credential ID being attested. 
     <tr>
      <td>variable (if present)
      <td> Extension-defined <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-10">authenticator data</a>. This is a <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-3">CBOR</a> <a data-link-type="biblio" href="#biblio-rfc7049">[RFC7049]</a> map with <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-4">extension identifiers</a> as keys,
            and <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-1">authenticator extension outputs</a> as values. See <a href="#extensions">§8 WebAuthn Extensions</a> for details. 
   </table>
   <p>The RP ID is originally received from the client when the credential is created, and again when an assertion is generated.
However, it differs from other <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-6">client data</a> in some important ways. First, unlike the client data, the RP ID of a credential
does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is validated
by the authenticator during the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-8">authenticatorGetAssertion</a> operation, by verifying that the RP ID associated with the
requested credential exactly matches the RP ID supplied by the client.</p>
   <p>The <code>TUP</code> flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The <code>RFU</code> bits
SHALL be set to zero.</p>
   <p>For attestation signatures, the authenticator MUST set the AT flag and include the <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-4">attestation data</a>. For authentication
signatures, the AT flag MUST NOT be set and the <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-5">attestation data</a> MUST NOT be included.</p>
   <p>If the authenticator does not include any extension data, it MUST set the <code>ED</code> flag in the first byte to zero, and to one if
extension data is included.</p>
   <p>The <a href="#fig-authData">figure below</a> shows a visual representation of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-11">authenticator data</a> structure.</p>
   <figure id="fig-authData">
     <img src="images/fido-signature-formats-figure1.svg"> 
    <figcaption><a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-12">Authenticator data</a> layout.</figcaption>
   </figure>
   <p>Note that the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-13">authenticator data</a> describes its own length: If the AT and ED flags are not set, it is always 37 bytes long.
The <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-6">attestation data</a> (which is only present if the AT flag is set) describes its own length. If the ED flag is set, then the
total length is 37 bytes plus the length of the <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-7">attestation data</a>, plus the length of the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-4">CBOR</a> map that follows.</p>
   <h3 class="heading settled" data-level="5.2" id="authenticator-ops"><span class="secno">5.2. </span><span class="content">Authenticator operations</span><a class="self-link" href="#authenticator-ops"></a></h3>
   <p>A client must connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
defines an authenticator session. An authenticator must maintain isolation between sessions. It may do this by only allowing one
session to exist at any particular time, or by providing more complicated session management.</p>
   <p>The following operations can be invoked by the client in an authenticator session.</p>
   <h4 class="heading settled" data-level="5.2.1" id="op-make-cred"><span class="secno">5.2.1. </span><span class="content">The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticatormakecredential">authenticatorMakeCredential</dfn> operation</span><a class="self-link" href="#op-make-cred"></a></h4>
   <p>This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:</p>
   <ul>
    <li data-md="">
     <p>The caller’s RP ID, as determined by the user agent and the client.</p>
    <li data-md="">
     <p>The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-9">hash of the serialized client data</a>, provided by the client.</p>
    <li data-md="">
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-50">relying party</a>'s <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity-5">PublicKeyCredentialEntity</a></code>.</p>
    <li data-md="">
     <p>The user account’s <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialentity" id="ref-for-dictdef-publickeycredentialentity-6">PublicKeyCredentialEntity</a></code>.</p>
    <li data-md="">
     <p>The <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype-6">PublicKeyCredentialType</a></code> and cryptographic parameters requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-51">Relying Party</a>, with the cryptographic algorithms normalized
as per the procedure in <a href="https://www.w3.org/TR/WebCryptoAPI/#algorithm-normalization-normalize-an-algorithm">Web Cryptography API §algorithm-normalization-normalize-an-algorithm</a>.</p>
    <li data-md="">
     <p>A list of <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-19">PublicKeyCredential</a></code> objects provided by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-52">Relying Party</a> with the intention that, if any of these are known to the
authenticator, it should not create a new credential.</p>
    <li data-md="">
     <p>Extension data created by the client based on the extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-53">Relying Party</a>.</p>
    <li data-md="">
     <p>The <var>requireResidentKey</var> parameter of the <var>options</var>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-authenticatorselection" id="ref-for-dom-makecredentialoptions-authenticatorselection-3">authenticatorSelection</a></code> dictionary.</p>
   </ul>
   <p>When this operation is invoked, the authenticator must perform the following procedure:</p>
   <ul>
    <li data-md="">
     <p>Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
equivalent to UnknownError and terminate the operation.</p>
    <li data-md="">
     <p>Check if at least one of the specified combinations of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype-7">PublicKeyCredentialType</a></code> and cryptographic parameters is supported.
If not, return an error code equivalent to NotSupportedError and terminate the operation.</p>
    <li data-md="">
     <p>Check if a credential matching any of the supplied <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-20">PublicKeyCredential</a></code> identifiers is present on this authenticator. If
so, return an error code equivalent to NotAllowedError and terminate the operation.</p>
    <li data-md="">
     <p>If the <var>requireResidentKey</var> flag is set to <var>true</var> and the authenticator cannot store a <a data-link-type="dfn" href="#client-side-resident-credential-private-key" id="ref-for-client-side-resident-credential-private-key-6">Client-side-resident Credential
Private Key</a>, return an error code equivalent to ConstraintError and terminate the operation.</p>
    <li data-md="">
     <p>Prompt the user for consent to create a new credential. The prompt for obtaining this consent is shown by the authenticator
if it has its own output capability, or by the user agent otherwise. If the user denies consent, return an error code
equivalent to NotAllowedError and terminate the operation.</p>
    <li data-md="">
     <p>Once user consent has been obtained, generate a new credential object:</p>
     <ul>
      <li data-md="">
       <p>Generate a set of cryptographic keys using the most preferred combination of <code class="idl"><a data-link-type="idl" href="#enumdef-publickeycredentialtype" id="ref-for-enumdef-publickeycredentialtype-8">PublicKeyCredentialType</a></code> and cryptographic
parameters supported by this authenticator.</p>
      <li data-md="">
       <p>Generate an identifier for this credential, such that this identifier is globally unique with high probability across all
credentials with the same type across all authenticators.</p>
      <li data-md="">
       <p>Associate the credential with the specified RP ID and the user’s account identifier <code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-user" id="ref-for-dom-makecredentialoptions-user-6">user</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-9">id</a></code>.</p>
      <li data-md="">
       <p>Delete any older credentials with the same RP ID and <code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-user" id="ref-for-dom-makecredentialoptions-user-7">user</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialentity-id" id="ref-for-dom-publickeycredentialentity-id-10">id</a></code> that
are stored locally in the authenticator.</p>
     </ul>
    <li data-md="">
     <p>If any error occurred while creating the new credential object, return an error code equivalent to UnknownError and terminate
the operation.</p>
    <li data-md="">
     <p>Process all the supported extensions requested by the client, and generate the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-14">authenticator data</a> with <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-8">attestation data</a> as specified in <a href="#sec-authenticator-data">§5.1 Authenticator data</a>. Use this <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-15">authenticator data</a> and the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-10">hash of the serialized client data</a> to create an <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-6">attestation object</a> for the new credential using the procedure
specified in <a href="#generating-an-attestation-object">§5.3.4 Generating an Attestation Object</a>. For more details on attestation, see <a href="#cred-attestation">§5.3 Credential Attestation</a>.</p>
   </ul>
   <p>On successful completion of this operation, the authenticator returns the <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-7">attestation object</a> to the client.</p>
   <h4 class="heading settled" data-level="5.2.2" id="op-get-assertion"><span class="secno">5.2.2. </span><span class="content">The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticatorgetassertion">authenticatorGetAssertion</dfn> operation</span><a class="self-link" href="#op-get-assertion"></a></h4>
   <p>This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:</p>
   <ul>
    <li data-md="">
     <p>The caller’s RP ID, as determined by the user agent and the client.</p>
    <li data-md="">
     <p>The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-11">hash of the serialized client data</a>, provided by the client.</p>
    <li data-md="">
     <p>A list of credentials acceptable to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-54">Relying Party</a> (possibly filtered by the client).</p>
    <li data-md="">
     <p>Extension data created by the client based on the extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-55">Relying Party</a>.</p>
   </ul>
   <p>When this method is invoked, the authenticator must perform the following procedure:</p>
   <ul>
    <li data-md="">
     <p>Check if all the supplied parameters are syntactically well-formed and of the correct length. If not, return an error code
equivalent to UnknownError and terminate the operation.</p>
    <li data-md="">
     <p>If a list of credentials was supplied by the client, filter it by removing those credentials that are not present on this
authenticator. If no list was supplied, create a list with all credentials stored for the caller’s RP ID (as determined by
an exact match of the RP ID).</p>
    <li data-md="">
     <p>If the previous step resulted in an empty list, return an error code equivalent to NotAllowedError and terminate the
operation.</p>
    <li data-md="">
     <p>Prompt the user to select a credential from among the above list. Obtain user consent for using this credential. The prompt
for obtaining this consent may be shown by the authenticator if it has its own output capability, or by the user agent
otherwise.</p>
    <li data-md="">
     <p>Process all the supported extensions requested by the client, and generate the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-16">authenticator data</a> without <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-9">attestation data</a> as specified in <a href="#sec-authenticator-data">§5.1 Authenticator data</a>. Concatenate this <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-17">authenticator data</a> with the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-12">hash of the serialized client data</a> to generate an assertion signature using the private key of the selected credential <a href="#fig-signature">as shown below</a>. A simple, undelimited concatenation is safe to use here because the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-18">authenticator data</a> describes its own length. The <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-13">hash of the serialized client data</a> (which potentially has a
variable length) is always the last element.</p>
    <li data-md="">
     <p>If any error occurred while generating the assertion signature, return an error code equivalent to UnknownError and terminate
the operation.</p>
   </ul>
   <figure id="fig-signature">
     <img src="images/fido-signature-formats-figure2.svg"> 
    <figcaption>Generating a signature on the authenticator.</figcaption>
   </figure>
   <p>On successful completion, the authenticator returns to the user agent:</p>
   <ul>
    <li data-md="">
     <p>The identifier of the credential used to generate the signature.</p>
    <li data-md="">
     <p>The <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-19">authenticator data</a> used to generate the signature.</p>
    <li data-md="">
     <p>The assertion signature.</p>
   </ul>
   <p>If the authenticator cannot find any credential corresponding to the specified <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-56">Relying Party</a> that matches the specified criteria, it
terminates the operation and returns an error.</p>
   <p>If the user refuses consent, the authenticator returns an appropriate error status to the client.</p>
   <h4 class="heading settled" data-level="5.2.3" id="op-cancel"><span class="secno">5.2.3. </span><span class="content">The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticatorcancel">authenticatorCancel</dfn> operation</span><a class="self-link" href="#op-cancel"></a></h4>
   <p>This operation takes no input parameters and returns no result.</p>
   <p>When this operation is invoked by the client in an authenticator session, it has the effect of terminating any <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential-6">authenticatorMakeCredential</a> or <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-9">authenticatorGetAssertion</a> operation currently in progress in that authenticator
session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The
client ignores any further responses from the authenticator for the canceled operation.</p>
   <p>This operation is ignored if it is invoked in an authenticator session which does not have an <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential-7">authenticatorMakeCredential</a> or <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-10">authenticatorGetAssertion</a> operation currently in progress.</p>
   <h3 class="heading settled" data-level="5.3" id="cred-attestation"><span class="secno">5.3. </span><span class="content">Credential Attestation</span><a class="self-link" href="#cred-attestation"></a></h3>
   <p>Authenticators must also provide some form of attestation. The basic requirement is that the authenticator can produce, for each
credential public key, attestation information that can be verified by a Relying Party. Typically, this information contains a
signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or
similar information providing provenance information for the attestation public key, enabling a trust decision to be made.
However, if an attestation key pair is not available, then the authenticator MUST perform self attestation of the credential
public key with the corresponding credential private key. All this information is returned by the authenticator any time a new
credential is generated, in the form of an <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-8">attestation object</a>. The relationship of <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-20">authenticator data</a> and the <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-10">attestation data</a>, attestation object, and attestation statement data structures is illustrated in <a href="#fig-attStructs">the figure below</a>.</p>
   <figure id="fig-attStructs">
     <img src="images/fido-attestation-structures.svg"> 
    <figcaption>Relationship of <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-21">authenticator data</a> and <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-11">attestation data</a> structures.</figcaption>
   </figure>
   <p>An important component of the <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-9">attestation object</a> is the credential attestation statement. This is a specific type of
signed data object, containing statements about a credential itself and the authenticator that created it. It contains an
attestation signature created using the key of the attesting authority (except for the case of <a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation-5">self attestation</a>, when it
is created using the private key associated with the credential). In order to correctly interpret an attestation statement, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-57">Relying Party</a> needs to understand two aspects of the attestation:</p>
   <ol>
    <li data-md="">
     <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="attestation-statement-format">attestation statement format</dfn> is the manner in which the signature is represented and the various contextual
bindings are incorporated into the attestation statement by the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-30">authenticator</a>. In other words, this defines the
syntax of the statement. Various existing devices and platforms (such as TPMs and the Android OS) have previously defined
attestation statement formats. This specification supports a variety of such formats in an extensible way, as defined in <a href="#attestation-formats">§5.3.2 Attestation Statement Formats</a>.</p>
    <li data-md="">
     <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="attestation-type">attestation type</dfn> defines the semantics of the attestation statement and its underlying trust model. It defines
how a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-58">Relying Party</a> establishes trust in a particular attestation statement, after verifying that it is cryptographically valid. This
specification supports a number of attestation types, as described in <a href="#sctn-attestation-types">§5.3.3 Attestation Types</a>.</p>
   </ol>
   <p>In general, there is no simple mapping between attestation statement formats and attestation types. For example the "packed"
attestation statement format defined in <a href="#packed-attestation">§7.2 Packed Attestation Statement Format</a> can be used in conjunction with all attestation types, while
other formats and types have more limited applicability.</p>
   <p>The privacy, security and operational characteristics of attestation depend on:</p>
   <ul>
    <li data-md="">
     <p>The attestation type, which determines the trust model,</p>
    <li data-md="">
     <p>The attestation statement format, which may constrain the strength of the attestation by limiting what can be expressed in an
attestation statement, and</p>
    <li data-md="">
     <p>The characteristics of the individual authenticator, such as its construction, whether part or all of it runs in a secure
operating environment, and so on.</p>
   </ul>
   <p>It is expected that most authenticators will support a small number of attestation types and attestation statement formats,
while Relying Parties will decide what attestation types are acceptable to them by policy. <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-59">Relying Party</a> will also need to understand the
characteristics of the authenticators that they trust, based on information they have about these authenticators. For example,
the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice">[FIDOMetadataService]</a> provides one way to access such information.</p>
   <h4 class="heading settled" data-level="5.3.1" id="sec-attestation-data"><span class="secno">5.3.1. </span><span class="content">Attestation data</span><a class="self-link" href="#sec-attestation-data"></a></h4>
   <p><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="attestation-data">Attestation data</dfn> is added to the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-22">authenticator data</a> when generating an <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-10">attestation object</a> for a given
credential. It has the following format:</p>
   <table class="complex data longlastcol">
    <tbody>
     <tr>
      <th>Length (in bytes)
      <th>Description
     <tr>
      <td>16
      <td>The AAGUID of the authenticator.
     <tr>
      <td>2
      <td>Byte length L of Credential ID
     <tr>
      <td>L
      <td>Credential ID
     <tr>
      <td>variable
      <td>
        Credential public key encoded in CBOR format. This is a CBOR map defined by the following CDDL rules: 
<pre>            pubKey = $pubKeyFmt

            ; All public key formats must include an alg name
            pubKeyTemplate = { alg: text }
            pubKeyTemplate .within $pubKeyFmt

            pubKeyFmt /= rsaPubKey
            rsaPubKey = { alg: rsaAlgName, n: biguint, e: uint }
            rsaAlgName = "RS256" / "RS384" / "RS512" / "PS256" / "PS384" / "PS512"

            pubKeyFmt /= eccPubKey
            eccPubKey = { alg: eccAlgName, x: biguint, y: biguint }
            eccAlgName = "ES256" / "ES384" / "ES512"
</pre>
       <p>Thus, each public key type is a CBOR map starting with an entry named <code>alg</code>, which contains a text string that
            specifies the name of the signature algorithm associated with the credential private key, using values defined in <a data-link-type="biblio" href="#biblio-rfc7518">[RFC7518]</a> section 3.1. The semantics and naming of the other fields (though not their encoding) follows the
            definitions in <a data-link-type="biblio" href="#biblio-rfc7518">[RFC7518]</a> section 6. Specifically, for ECC keys, the semantics of the <code>x</code> and <code>y</code> fields are
            defined in <a data-link-type="biblio" href="#biblio-rfc7518">[RFC7518]</a> sections 6.2.1.2 and 6.2.1.3, while for RSA keys, the semantics of the <code>n</code> and <code>e</code> fields
            are defined in <a data-link-type="biblio" href="#biblio-rfc7518">[RFC7518]</a> sections 6.3.1.1 and 6.3.1.2.</p>
   </table>
   <h4 class="heading settled" data-level="5.3.2" id="attestation-formats"><span class="secno">5.3.2. </span><span class="content">Attestation Statement Formats</span><a class="self-link" href="#attestation-formats"></a></h4>
   <p>As described above, an attestation statement format is a data format which represents a cryptographic signature by an
authenticator over a set of contextual bindings. Each attestation statement format is defined by the following attributes:</p>
   <ul>
    <li data-md="">
     <p>Its <a data-link-type="dfn" href="#attestation-statement-format-identifier" id="ref-for-attestation-statement-format-identifier-1">attestation statement format identifier</a>.</p>
    <li data-md="">
     <p>The set of attestation types supported by the format.</p>
    <li data-md="">
     <p>The syntax of an attestation statement produced in this format, defined using CDDL for the extension point <code>$attStmtFormat</code> defined in <a href="#generating-an-attestation-object">§5.3.4 Generating an Attestation Object</a>.</p>
    <li data-md="">
     <p>The procedure for computing an attestation statement in this format given the credential to be attested, the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-23">authenticator data</a> structure containing the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticator-data-for-the-attestation">authenticator data for the attestation</dfn>, and the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-14">hash of the serialized client data</a>.</p>
    <li data-md="">
     <p>The procedure for verifying an attestation statement, which takes as inputs the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-24">authenticator data</a> structure containing
the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticator-data-claimed-to-have-been-used-for-the-attestation">authenticator data claimed to have been used for the attestation</dfn> and the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-15">hash of the serialized client data</a>, and returns either:</p>
     <ul>
      <li data-md="">
       <p>An error indicating that the attestation is invalid, or</p>
      <li data-md="">
       <p>The attestation type, and the trust path of the attestation. This trust path is either empty (in case of
self-attestation), an identifier of a <a data-link-type="dfn" href="#ecdaa-issuer-public-key" id="ref-for-ecdaa-issuer-public-key-1">ECDAA-Issuer public key</a> (in the case of <a data-link-type="dfn" href="#ecdaa" id="ref-for-ecdaa-1">ECDAA</a>), or a set of X.509
certificates.</p>
     </ul>
   </ul>
   <p>The initial list of supported attestation statement formats is in <a href="#defined-attestation-formats">§7 Defined Attestation Statement Formats</a>.</p>
   <h4 class="heading settled" data-level="5.3.3" id="sctn-attestation-types"><span class="secno">5.3.3. </span><span class="content">Attestation Types</span><a class="self-link" href="#sctn-attestation-types"></a></h4>
   <p>WebAuthn supports multiple attestation types:</p>
   <dl>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="basic-attestation">Basic Attestation</dfn>
    <dd data-md="">
     <p>In the case of basic attestation <a data-link-type="biblio" href="#biblio-uafprotocol">[UAFProtocol]</a>, the authenticator’s attestation key pair is specific to an
authenticator model.  Thus, authenticators of the same model often share the same attestation key pair. See <a href="#sec-attestation-privacy">§5.3.5.1 Privacy</a> for futher information.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="self-attestation">Self Attestation</dfn>
    <dd data-md="">
     <p>In the case of self attestation, also known as surrogate basic attestation <a data-link-type="biblio" href="#biblio-uafprotocol">[UAFProtocol]</a>, the Authenticator doesn’t have
any specific attestation key. Instead it uses the authentication key itself to create the attestation signature.
Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="privacy-ca">Privacy CA</dfn>
    <dd data-md="">
     <p>In this case, the Authenticator owns an authenticator-specific (endorsement) key. This key is used to securely communicate
with a trusted third party, the Privacy CA.  The Authenticator can generate multiple attestation key pairs and asks the
Privacy CA to issue an attestation certificate for it. Using this approach, the Authenticator can limit the exposure of the
endorsement key (which is a global correlation handle) to Privacy CA(s). Attestation keys can be requested for each <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-22">public
key credential</a> individually.</p>
     <p class="note" role="note"><span>Note:</span> This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently
    is called "active".</p>
    <dt data-md=""><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="elliptic-curve-based-direct-anonymous-attestation">Elliptic Curve based Direct Anonymous Attestation</dfn> (<dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="ecdaa">ECDAA</dfn>)
    <dd data-md="">
     <p>In this case, the Authenticator receives direct anonymous attestation (<dfn data-dfn-type="dfn" data-noexport="" id="daa">DAA<a class="self-link" href="#daa"></a></dfn>]) credentials from a single DAA-Issuer.
These DAA credentials are used along with blinding to sign the <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-12">attestation data</a>. The concept of blinding avoids the DAA
credentials being misused as global correlation handle. WebAuthn supports DAA using elliptic curve cryptography and bilinear
pairings, called <a data-link-type="dfn" href="#ecdaa" id="ref-for-ecdaa-2">ECDAA</a> (see <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>) in this specification. Consequently we denote the DAA-Issuer as
ECDAA-Issuer (see <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>).</p>
   </dl>
   <h4 class="heading settled" data-level="5.3.4" id="generating-an-attestation-object"><span class="secno">5.3.4. </span><span class="content">Generating an Attestation Object</span><a class="self-link" href="#generating-an-attestation-object"></a></h4>
   <p>This section specifies the algorithm for generating an <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-11">attestation object</a> for any <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format-3">attestation statement format</a>.</p>
   <p>In order to construct an <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-12">attestation object</a> for a given credential using a particular <a data-link-type="dfn" href="#attestation-statement-format" id="ref-for-attestation-statement-format-4">attestation statement
format</a>, the authenticator MUST first generate the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-25">authenticator data</a>.</p>
   <p>The authenticator MUST then run the signing procedure for the desired attestation statement format with this <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-26">authenticator data</a> and the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-16">hash of the serialized client data</a> as input, and use this to construct an attestation
statement in that attestation statement format.</p>
   <p>Finally, the authenticator MUST construct the <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-13">attestation object</a> as a CBOR map with the following syntax:</p>
<pre>attObj = {
            authData: bytes,
            $$attStmtType
         }

attStmtTemplate = (
                      fmt: text,
                      attStmt: bytes
                  )

; Every attestation statement format must have the above fields
attStmtTemplate .within $$attStmtType
</pre>
   <p>The semantics of the fields in the <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-14">attestation object</a> are as follows:</p>
   <dl>
    <dt data-md="">fmt
    <dd data-md="">
     <p>The <a data-link-type="dfn" href="#attestation-statement-format-identifier" id="ref-for-attestation-statement-format-identifier-2">attestation statement format identifier</a> associated with the attestation statement. Each attestation statement
format defines its identifier.</p>
    <dt data-md="">authData
    <dd data-md="">
     <p>The <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-27">authenticator data</a> used to generate the attestation statement.</p>
    <dt data-md="">attStmt
    <dd data-md="">
     <p>The attestation statement constructed above. The syntax of this is defined by the attestation statement format used.</p>
   </dl>
   <h4 class="heading settled" data-level="5.3.5" id="sec-attestation-security-considerations"><span class="secno">5.3.5. </span><span class="content">Security Considerations</span><a class="self-link" href="#sec-attestation-security-considerations"></a></h4>
   <h5 class="heading settled" data-level="5.3.5.1" id="sec-attestation-privacy"><span class="secno">5.3.5.1. </span><span class="content">Privacy</span><a class="self-link" href="#sec-attestation-privacy"></a></h5>
   <p>Attestation keys may be used to track users or link various online identities of the same user together. This may be mitigated
in several ways, including:</p>
   <ul>
    <li data-md="">
     <p>A WebAuthn <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-31">authenticator</a> manufacturer may choose to ship all of their devices with the same (or a fixed number of)
attestation key(s) (called <a data-link-type="dfn" href="#basic-attestation" id="ref-for-basic-attestation-1">Basic Attestation</a>). This will anonymize the user at the risk of not being able to revoke a
particular attestation key should its WebAuthn Authenticator be compromised.</p>
    <li data-md="">
     <p>A WebAuthn Authenticator may be capable of dynamically generating different attestation keys (and requesting related
certificates) per <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a> (following the <a data-link-type="dfn" href="#privacy-ca" id="ref-for-privacy-ca-1">Privacy CA</a> approach). For example, a WebAuthn Authenticator can ship with a
master attestation key (and certificate), and combined with a cloud operated privacy CA, can dynamically generate per <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a> attestation keys and attestation certificates.</p>
    <li data-md="">
     <p>A WebAuthn Authenticator can implement <a data-link-type="dfn" href="#elliptic-curve-based-direct-anonymous-attestation" id="ref-for-elliptic-curve-based-direct-anonymous-attestation-1">Elliptic Curve based direct anonymous attestation</a> (see <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>).
Using this scheme, the authenticator generates a blinded attestation signature. This allows the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-60">Relying Party</a> to verify the signature
using the <a data-link-type="dfn" href="#ecdaa-issuer-public-key" id="ref-for-ecdaa-issuer-public-key-2">ECDAA-Issuer public key</a>, but the attestation signature doesn’t serve as a global correlation handle.</p>
   </ul>
   <h5 class="heading settled" data-level="5.3.5.2" id="ca-compromise"><span class="secno">5.3.5.2. </span><span class="content">Attestation Certificate and Attestation Certificate CA Compromise</span><a class="self-link" href="#ca-compromise"></a></h5>
   <p>When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-32">authenticator</a> attestation keys are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that
has recorded the public attestation keys for their devices can issue new attestation certificates for these keys from a new
intermediate CA or from a new root CA. If the root CA changes, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-61">Relying Parties</a> must update their trusted root certificates
accordingly.</p>
   <p>A WebAuthn Authenticator attestation certificate must be revoked by the issuing CA if its key has been compromised. A WebAuthn
Authenticator manufacturer may need to ship a firmware update and inject new attestation keys and certificates into already
manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of
scope for this specification.) If the WebAuthn Authenticator manufacturer does not have this capability, then it may not be
possible for <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-62">Relying Parties</a> to trust any further attestation statements from the affected WebAuthn Authenticators.</p>
   <p>If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-63">Relying Party</a>'s policy
requires rejecting the registration/authentication request in these situations, then it is recommended that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-64">Relying Party</a> also
un-registers (or marks with a trust level equivalent to "<a data-link-type="dfn" href="#self-attestation" id="ref-for-self-attestation-6">self attestation</a>") <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-23">public key credentials</a> that were registered
after the CA compromise date using an attestation certificate chaining up to the same intermediate CA. It is thus recommended
that Relying Parties remember intermediate attestation CA certificates during Authenticator registration in order to un-register related <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-24">public key credentials</a> if the registration was performed after revocation of such certificates.</p>
   <p>If an <a data-link-type="dfn" href="#ecdaa" id="ref-for-ecdaa-3">ECDAA</a> attestation key has been compromised, it can be added to the RogueList (i.e., the list of revoked
authenticators) maintained by the related ECDAA-Issuer. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-65">Relying Party</a> should verify whether an authenticator belongs to the RogueList
when performing ECDAA-Verify (see section 3.6 in <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>). For example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice">[FIDOMetadataService]</a> provides one way to access such information.</p>
   <h5 class="heading settled" data-level="5.3.5.3" id="cert-hierarchy"><span class="secno">5.3.5.3. </span><span class="content">Attestation Certificate Hierarchy</span><a class="self-link" href="#cert-hierarchy"></a></h5>
   <p>A 3-tier hierarchy for attestation certificates is recommended (i.e., Attestation Root, Attestation Issuing CA, Attestation
Certificate). It is also recommended that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is
used to help facilitate isolating problems with a specific version of a device.</p>
   <p>If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
should be specified in the attestation certificate itself, so that it can be verified against the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-28">authenticator data</a>.</p>
   <h2 class="heading settled" data-level="6" id="rp-operations"><span class="secno">6. </span><span class="content"><a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-66">Relying Party</a> Operations</span><a class="self-link" href="#rp-operations"></a></h2>
   <p>Upon successful execution of <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code>, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-67">Relying Party</a>'s script receives a <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-21">PublicKeyCredential</a></code> containing an <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse-6">AuthenticatorAttestationResponse</a></code> or <code class="idl"><a data-link-type="idl" href="#authenticatorassertionresponse" id="ref-for-authenticatorassertionresponse-6">AuthenticatorAssertionResponse</a></code> structure,
respectively, from the client. It must then deliver the contents of this structure to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-68">Relying Party</a> server, using methods
outside the scope of this specification. This section describes the operations that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-69">Relying Party</a> must perform upon receipt of
these structures.</p>
   <h3 class="heading settled" data-level="6.1" id="registering-a-new-credential"><span class="secno">6.1. </span><span class="content">Registering a new credential</span><a class="self-link" href="#registering-a-new-credential"></a></h3>
   <p>When registering a new credential, represented by a <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse-7">AuthenticatorAttestationResponse</a></code> structure, as part of a <a data-link-type="dfn" href="#registration" id="ref-for-registration-10">registration</a> <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-9">ceremony</a>, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-70">Relying Party</a> MUST proceed as follows:</p>
   <ol>
    <li data-md="">
     <p>Perform JSON deserialization on the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-8">clientDataJSON</a></code> field of the <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse-8">AuthenticatorAttestationResponse</a></code> object to extract the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-7">client data</a> <var>C</var> claimed as collected during the credential
creation.</p>
    <li data-md="">
     <p>Verify that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge-4">challenge</a></code> in <var>C</var> matches the challenge that was sent to the authenticator in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> call.</p>
    <li data-md="">
     <p>Verify that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin-4">origin</a></code> in <var>C</var> matches the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-71">Relying Party</a>'s <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a>.</p>
    <li data-md="">
     <p>Verify that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding-4">tokenBinding</a></code> in <var>C</var> matches the <a data-link-type="dfn" href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol#section-3.2">Token Binding ID</a> for the TLS connection over
which the attestation was obtained.</p>
    <li data-md="">
     <p>Verify that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-clientextensions" id="ref-for-dom-collectedclientdata-clientextensions-4">clientExtensions</a></code> in <var>C</var> is a proper subset of the extensions requested by the RP
and that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-authenticatorextensions" id="ref-for-dom-collectedclientdata-authenticatorextensions-4">authenticatorExtensions</a></code> in <var>C</var> is also a proper subset of the extensions requested by
the RP.</p>
    <li data-md="">
     <p>Compute the hash of <code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-9">clientDataJSON</a></code> using the algorithm identified by <code><var>C</var>.<code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-hashalg" id="ref-for-dom-collectedclientdata-hashalg-5">hashAlg</a></code></code>.</p>
    <li data-md="">
     <p>Perform CBOR decoding on the <code class="idl"><a data-link-type="idl" href="#dom-authenticatorattestationresponse-attestationobject" id="ref-for-dom-authenticatorattestationresponse-attestationobject-3">attestationObject</a></code> field of the <code class="idl"><a data-link-type="idl" href="#authenticatorattestationresponse" id="ref-for-authenticatorattestationresponse-9">AuthenticatorAttestationResponse</a></code> structure to obtain the attestation statement format <var>fmt</var>, the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-29">authenticator data</a> <var>authData</var>, and the attestation statement <var>attStmt</var>.</p>
    <li data-md="">
     <p>Verify that the RP ID hash in <var>authData</var> is indeed the SHA-256 hash of the RP ID expected by the RP.</p>
    <li data-md="">
     <p>Determine the attestation statement format by performing an USASCII case-sensitive match on <var>fmt</var> against the set of
supported WebAuthn Attestation Statement Format Identifier values.
The up-to-date list of registered WebAuthn Attestation Statement Format Identifier values
is maintained in the in the IANA registry of the same name <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a>.</p>
    <li data-md="">
     <p>Verify that <var>attStmt</var> is a correct, validly-signed attestation statement, using the attestation statement format <var>fmt</var>’s
verification procedure given <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-30">authenticator data</a> <var>authData</var> and the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-17">hash of the serialized client data</a> computed in
step 6.</p>
    <li data-md="">
     <p>If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or <a data-link-type="dfn" href="#ecdaa-issuer-public-key" id="ref-for-ecdaa-issuer-public-key-3">ECDAA-Issuer
public key</a>s) for that attestation type and attestation statement format <var>fmt</var>, from a trusted source or from policy. For
example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice">[FIDOMetadataService]</a> provides one way to obtain such information, using the AAGUID in
the <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-13">attestation data</a> contained in <var>authData</var>.</p>
    <li data-md="">
     <p>Assess the attestation trustworthiness using the outputs of the verification procedure in step 10, as follows:</p>
     <ul>
      <li data-md="">
       <p>If self-attestation was used, check if self-attestation is acceptable under <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-72">Relying Party</a> policy.</p>
      <li data-md="">
       <p>If <a data-link-type="dfn" href="#ecdaa" id="ref-for-ecdaa-4">ECDAA</a> was used, verify that the <a data-link-type="dfn" href="#identifier-of-the-ecdaa-issuer-public-key" id="ref-for-identifier-of-the-ecdaa-issuer-public-key-1">identifier of the ECDAA-Issuer public key</a> used is included in the set of
acceptable trust anchors obtained in step 11.</p>
      <li data-md="">
       <p>Otherwise, use the X.509 certificates returned by the verification procedure to verify that the attestation public key
correctly chains up to an acceptable root certificate.</p>
     </ul>
    <li data-md="">
     <p>If the attestation statement <var>attStmt</var> verified successfully and is found to be trustworthy, then register the new
credential with the account that was denoted in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-create-options-options" id="ref-for-dom-publickeycredential-create-options-options-1">options</a></code>.<code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-user" id="ref-for-dom-makecredentialoptions-user-8">user</a></code> passed to <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code>, by associating it with the credential ID and credential public key contained in <var>authData</var>’s <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-14">attestation data</a>, as appropriate for the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-73">Relying Party</a>'s systems.</p>
    <li data-md="">
     <p>If the attestation statement <var>attStmt</var> successfully verified but is not trustworthy per step 12 above, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-74">Relying Party</a> SHOULD fail
the registration ceremony.</p>
     <p class="note" role="note"><span>NOTE:</span> However, if permitted by policy, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-75">Relying Party</a> MAY register the credential ID and credential public key but treat the
    credential as one with self-attestation (see <a href="#sctn-attestation-types">§5.3.3 Attestation Types</a>). If doing so, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-76">Relying Party</a> is asserting there is
    no cryptographic proof that the <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-25">public key credential</a> has been generated by a particular <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-33">authenticator</a> model.
    See <a data-link-type="biblio" href="#biblio-fidosecref">[FIDOSecRef]</a> and <a data-link-type="biblio" href="#biblio-uafprotocol">[UAFProtocol]</a> for a more detailed discussion.</p>
    <li data-md="">
     <p>If verification of the attestation statement failed, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-77">Relying Party</a> MUST fail the registration ceremony.</p>
   </ol>
   <p>Verification of <a data-link-type="dfn" href="#attestation-objects" id="ref-for-attestation-objects-15">attestation objects</a> requires that the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-78">Relying Party</a> has a trusted method of determining acceptable trust anchors
in step 11 above. Also, if certificates are being used, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-79">Relying Party</a> must have access to certificate status information for the
intermediate CA certificates. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-80">Relying Party</a> must also be able to build the attestation certificate chain if the client did not
provide this chain in the attestation information.</p>
   <p>To avoid ambiguity during authentication, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-81">Relying Party</a> SHOULD check that each credential is registered to no more than one user. If
registration is requested for a credential that is already registered to a different user, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-82">Relying Party</a> SHOULD fail this ceremony,
or it MAY decide to accept the registration, e.g. while deleting the older registration.</p>
   <h3 class="heading settled" data-level="6.2" id="verifying-assertion"><span class="secno">6.2. </span><span class="content">Verifying an authentication assertion</span><a class="self-link" href="#verifying-assertion"></a></h3>
   <p>When verifying a given <code class="idl"><a data-link-type="idl" href="#publickeycredential" id="ref-for-publickeycredential-22">PublicKeyCredential</a></code> structure (<var>credential</var>) as part of an <a data-link-type="dfn" href="#authentication" id="ref-for-authentication-8">authentication</a> <a data-link-type="dfn" href="#ceremony" id="ref-for-ceremony-10">ceremony</a>, the Relying Party
MUST proceed as follows:</p>
   <ol>
    <li data-md="">
     <p>Using <var>credential</var>’s <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id">id</a></code> attribute (or the corresponding <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-rawid" id="ref-for-dom-publickeycredential-rawid-2">rawId</a></code>, if <a data-link-type="dfn" href="#base64url-encoding" id="ref-for-base64url-encoding-6">base64url encoding</a> is inappropriate for your use case), look up the corresponding credential public key.</p>
    <li data-md="">
     <p>Let <var>cData</var>, <var>aData</var> and <var>sig</var> denote the value of <var>credential</var>’s <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-response" id="ref-for-dom-publickeycredential-response-4">response</a></code>'s <code class="idl"><a data-link-type="idl" href="#dom-authenticatorresponse-clientdatajson" id="ref-for-dom-authenticatorresponse-clientdatajson-10">clientDataJSON</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-authenticatordata" id="ref-for-dom-authenticatorassertionresponse-authenticatordata-4">authenticatorData</a></code>, and <code class="idl"><a data-link-type="idl" href="#dom-authenticatorassertionresponse-signature" id="ref-for-dom-authenticatorassertionresponse-signature-4">signature</a></code> respectively.</p>
    <li data-md="">
     <p>Perform JSON deserialization on <var>cData</var> to extract the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-8">client data</a> <var>C</var> used for the signature.</p>
    <li data-md="">
     <p>Verify that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-challenge" id="ref-for-dom-collectedclientdata-challenge-5">challenge</a></code> member of <var>C</var> matches the challenge that was sent to the authenticator in
the <code class="idl"><a data-link-type="idl" href="#dictdef-publickeycredentialrequestoptions" id="ref-for-dictdef-publickeycredentialrequestoptions-4">PublicKeyCredentialRequestOptions</a></code> passed to the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> call.</p>
    <li data-md="">
     <p>Verify that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-origin" id="ref-for-dom-collectedclientdata-origin-5">origin</a></code> member of <var>C</var> matches the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-83">Relying Party</a>'s <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a>.</p>
    <li data-md="">
     <p>Verify that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-tokenbinding" id="ref-for-dom-collectedclientdata-tokenbinding-5">tokenBinding</a></code> member of <var>C</var> (if present) matches the <a data-link-type="dfn" href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol#section-3.2">Token Binding ID</a> for the TLS
connection over which the signature was obtained.</p>
    <li data-md="">
     <p>Verify that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-clientextensions" id="ref-for-dom-collectedclientdata-clientextensions-5">clientExtensions</a></code> member of <var>C</var> is a proper subset of the extensions requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-84">Relying Party</a> and that the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-authenticatorextensions" id="ref-for-dom-collectedclientdata-authenticatorextensions-5">authenticatorExtensions</a></code> in <var>C</var> is also a proper subset of the extensions
requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-85">Relying Party</a>.</p>
    <li data-md="">
     <p>Verify that the RP ID hash in <var>aData</var> is the SHA-256 hash of the RP ID expected by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-86">Relying Party</a>.</p>
    <li data-md="">
     <p>Let <var>hash</var> be the result of computing a hash over the <var>cData</var> using the algorithm represented by the <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-hashalg" id="ref-for-dom-collectedclientdata-hashalg-6">hashAlg</a></code> member of <var>C</var>.</p>
    <li data-md="">
     <p>Using the credential public key looked up in step 1, verify that <var>sig</var> is a valid signature over the binary concatenation of <var>aData</var> and <var>hash</var>.</p>
    <li data-md="">
     <p>If all the above steps are successful, continue with the authentication ceremony as appropriate. Otherwise, fail the
authentication ceremony.</p>
   </ol>
   <h2 class="heading settled" data-level="7" id="defined-attestation-formats"><span class="secno">7. </span><span class="content">Defined Attestation Statement Formats</span><a class="self-link" href="#defined-attestation-formats"></a></h2>
   <p>WebAuthn supports pluggable attestation statement formats. This section defines an initial set of such formats.</p>
   <h3 class="heading settled" data-level="7.1" id="sctn-attstn-fmt-ids"><span class="secno">7.1. </span><span class="content">Attestation Statement Format Identifiers</span><a class="self-link" href="#sctn-attstn-fmt-ids"></a></h3>
   <p>Attestation statement formats are identified by a string, called a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="attestation-statement-format-identifier">attestation statement format identifier</dfn>, chosen by
the author of the attestation statement format.</p>
   <p>Attestation statement format identifiers SHOULD be registered per <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a> "Registries for Web Authentication
(WebAuthn)". All registered attestation statement format identifiers are unique amongst themselves as a matter of course.</p>
   <p>Unregistered attestation statement format identifiers SHOULD use lowercase reverse domain-name naming, using a domain name
registered by the developer, in order to assure uniqueness of the identifier. All attestation statement format identifiers MUST
be a maximum of 32 octets in length and MUST consist only of printable USASCII characters, excluding backslash and doublequote,
i.e., VCHAR as defined in <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a> but without %x22 and %x5c. (Note: This means attestation statement format identifiers
based on domain names MUST incorporate only LDH Labels <a data-link-type="biblio" href="#biblio-rfc5890">[RFC5890]</a>.) Implementations MUST match WebAuthn attestation statement
format identifiers in a case-sensitive fashion.</p>
   <p>Attestation statement formats that may exist in multiple versions SHOULD include a version in their identifier. In effect,
different versions are thus treated as different formats, e.g., <code>packed2</code> as a new version of the <code>packed</code> attestation statement
format.</p>
   <p>The following sections present a set of currently-defined and registered attestation statement formats and their identifiers.
The up-to-date list of registered WebAuthn Extensions is maintained in the IANA "WebAuthn Attestation Statement Format
Identifier" registry established by <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a>.</p>
   <h3 class="heading settled" data-level="7.2" id="packed-attestation"><span class="secno">7.2. </span><span class="content">Packed Attestation Statement Format</span><a class="self-link" href="#packed-attestation"></a></h3>
   <p>This is a WebAuthn optimized attestation statement format. It uses a very compact but still extensible encoding method. It is
implementable by <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-34">authenticators</a> with limited resources (e.g., secure elements).</p>
   <dl>
    <dt data-md="">Attestation statement format identifier
    <dd data-md="">
     <p>packed</p>
    <dt data-md="">Attestation types supported
    <dd data-md="">
     <p>All</p>
    <dt data-md="">Syntax
    <dd data-md="">
     <p>The syntax of a Packed Attestation statement is defined by the following CDDL:</p>
<pre>    $$attStmtType //= (
                          fmt: "packed",
                          attStmt: packedStmtFormat
                      )

    packedStmtFormat = {
                           alg: rsaAlgName / eccAlgName,
                           sig: bytes,
                           x5c: [ attestnCert: bytes, * (caCert: bytes) ]
                       } //
                       {
                           alg: "ED256" / "ED512",
                           sig: bytes,
                           ecdaaKeyId: bytes
                       }
</pre>
     <p>The semantics of the fields are as follows:</p>
     <dl>
      <dt data-md="">alg
      <dd data-md="">
       <p>A text string containing the name of the algorithm used to generate the attestation signature. The types <code>rsaAlgName</code> and <code>eccAlgName</code> are as defined in <a href="#sec-attestation-data">§5.3.1 Attestation data</a>. "ED256" and "ED512" refer to algorithms defined in <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>.</p>
      <dt data-md="">sig
      <dd data-md="">
       <p>A byte string containing the attestation signature.</p>
      <dt data-md="">x5c
      <dd data-md="">
       <p>The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format.
The attestation certificate must be the first element in the array.</p>
      <dt data-md="">ecdaaKeyId
      <dd data-md="">
       <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="identifier-of-the-ecdaa-issuer-public-key">identifier of the ECDAA-Issuer public key</dfn>.  This is the
BigNumberToB encoding of the component "c" of the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="ecdaa-issuer-public-key">ECDAA-Issuer public key</dfn> as defined section 3.3, step 3.5 in <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>.</p>
     </dl>
    <dt data-md="">Signing procedure
    <dd data-md="">
     <p>The signing procedure for this attestation statement format is similar to <a href="#fig-signature">the procedure for generating assertion
signatures</a>.</p>
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation-1">authenticator data for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-18">hash of the serialized client data</a>.</p>
     <p>If Basic or Privacy CA attestation is in use, the authenticator produces the <var>sig</var> by concatenating <var>authenticatorData</var> and <var>clientDataHash</var>, and signing the result using an attestation private key selected through an authenticator-specific
mechanism. It sets <var>x5c</var> to the certificate chain of the attestation public key and <var>alg</var> to the algorithm of the
attestation private key.</p>
     <p>If <a data-link-type="dfn" href="#ecdaa" id="ref-for-ecdaa-5">ECDAA</a> is in use, the authenticator produces <var>sig</var> by concatenating <var>authenticatorData</var> and <var>clientDataHash</var>, and
signing the result using ECDAA-Sign (see section 3.5 of <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>) with a <a data-link-type="dfn" href="#ecdaa-issuer-public-key" id="ref-for-ecdaa-issuer-public-key-4">ECDAA-Issuer public key</a> selected
through an authenticator-specific mechanism (see <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>). It sets <var>alg</var> to the algorithm of the <a data-link-type="dfn" href="#ecdaa-issuer-public-key" id="ref-for-ecdaa-issuer-public-key-5">ECDAA-Issuer public key</a> and <var>ecdaaKeyId</var> to the <a data-link-type="dfn" href="#identifier-of-the-ecdaa-issuer-public-key" id="ref-for-identifier-of-the-ecdaa-issuer-public-key-2">identifier of the ECDAA-Issuer public key</a> (see above).</p>
     <p>If self attestation is in use, the authenticator produces <var>sig</var> by concatenating <var>authenticatorData</var> and <var>clientDataHash</var>,
and signing the result using the credential private key. It sets <var>alg</var> to the algorithm of the credential private key, and
omits the other fields.</p>
    <dt data-md="">Verification procedure
    <dd data-md="">
     <p>Verify that the given attestation statement is valid CBOR conforming to the syntax defined above.</p>
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-claimed-to-have-been-used-for-the-attestation" id="ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-1">authenticator data claimed to have been used for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-19">hash of the serialized client data</a>.</p>
     <p>If <var>x5c</var> is present, this indicates that the attestation type is not <a data-link-type="dfn" href="#ecdaa" id="ref-for-ecdaa-6">ECDAA</a>. In this case:</p>
     <ul>
      <li data-md="">
       <p>Verify that <var>sig</var> is a valid signature over the concatenation of <var>authenticatorData</var> and <var>clientDataHash</var> using the
attestation public key in <var>x5c</var> with the algorithm specified in <var>alg</var>.</p>
      <li data-md="">
       <p>Verify that <var>x5c</var> meets the requirements in <a href="#packed-attestation-cert-requirements">§7.2.1 Packed attestation statement certificate requirements</a>.</p>
      <li data-md="">
       <p>If <var>x5c</var> contains an extension with OID <code>1 3 6 1 4 1 45724 1 1 4</code> (id-fido-gen-ce-aaguid) verify that the value of this
extension matches the AAGUID in <var>authenticatorData</var>.</p>
      <li data-md="">
       <p>If successful, return attestation type Basic and trust path <var>x5c</var>.</p>
     </ul>
     <p>If <var>ecdaaKeyId</var> is present, then the attestation type is ECDAA. In this case:</p>
     <ul>
      <li data-md="">
       <p>Verify that <var>sig</var> is a valid signature over the concatenation of <var>authenticatorData</var> and <var>clientDataHash</var> using
ECDAA-Verify with <a data-link-type="dfn" href="#ecdaa-issuer-public-key" id="ref-for-ecdaa-issuer-public-key-6">ECDAA-Issuer public key</a> identified by <var>ecdaaKeyId</var> (see <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>).</p>
      <li data-md="">
       <p>If successful, return attestation type ECDAA and trust path <var>ecdaaKeyId</var>.</p>
     </ul>
     <p>If neither <var>x5c</var> nor <var>ecdaaKeyId</var> is present, self attestation is in use.</p>
     <ul>
      <li data-md="">
       <p>Validate that <var>alg</var> matches the algorithm of the credential private key in <var>authenticatorData</var>.</p>
      <li data-md="">
       <p>Verify that <var>sig</var> is a valid signature over the concatenation of <var>authenticatorData</var> and <var>clientDataHash</var> using the
credential public key with <var>alg</var>.</p>
      <li data-md="">
       <p>If successful, return attestation type Self and empty trust path.</p>
     </ul>
   </dl>
   <h4 class="heading settled" data-level="7.2.1" id="packed-attestation-cert-requirements"><span class="secno">7.2.1. </span><span class="content">Packed attestation statement certificate requirements</span><a class="self-link" href="#packed-attestation-cert-requirements"></a></h4>
   <p>The attestation certificate MUST have the following fields/extensions:</p>
   <ul>
    <li data-md="">
     <p>Version must be set to 3.</p>
    <li data-md="">
     <p>Subject field MUST be set to:</p>
     <dl>
      <dt data-md="">Subject-C
      <dd data-md="">
       <p>Country where the Authenticator vendor is incorporated</p>
      <dt data-md="">Subject-O
      <dd data-md="">
       <p>Legal name of the Authenticator vendor</p>
      <dt data-md="">Subject-OU
      <dd data-md="">
       <p>Authenticator Attestation</p>
      <dt data-md="">Subject-CN
      <dd data-md="">
       <p>No stipulation.</p>
     </dl>
    <li data-md="">
     <p>If the related attestation root certificate is used for multiple authenticator models, the Extension OID <code>1 3 6 1 4 1 45724 1 1 4</code> (id-fido-gen-ce-aaguid) MUST be present, containing the AAGUID as value.</p>
    <li data-md="">
     <p>The Basic Constraints extension MUST have the CA component set to false</p>
    <li data-md="">
     <p>An Authority Information Access (AIA) extension with entry <code>id-ad-ocsp</code> and a CRL Distribution Point extension <a data-link-type="biblio" href="#biblio-rfc5280">[RFC5280]</a> are both optional as the status of many attestation certificates is available through authenticator metadata services.
See, for example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice">[FIDOMetadataService]</a>.</p>
   </ul>
   <h3 class="heading settled" data-level="7.3" id="tpm-attestation"><span class="secno">7.3. </span><span class="content">TPM Attestation Statement Format</span><a class="self-link" href="#tpm-attestation"></a></h3>
   <p>This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic
engine.</p>
   <dl>
    <dt data-md="">Attestation statement format identifier
    <dd data-md="">
     <p>tpm</p>
    <dt data-md="">Attestation types supported
    <dd data-md="">
     <p>Privacy CA, ECDAA</p>
    <dt data-md="">Syntax
    <dd data-md="">
     <p>The syntax of a TPM Attestation statement is as follows:</p>
<pre>    $$attStmtType // = (
                           fmt: "tpm",
                           attStmt: tpmStmtFormat
                       )

    tpmStmtFormat = {
                        ver: "2.0",
                        (
                            alg: rsaAlgName / eccAlgName,
                            x5c: [ aikCert: bytes, * (caCert: bytes) ]
                        ) //
                        (
                            alg:  "ED256" / "ED512",
                            ecdaaKeyId: bytes
                        ),
                        sig: bytes,
                        certInfo: bytes,
                        pubArea: bytes
                    }
</pre>
     <p>The semantics of the above fields are as follows:</p>
     <dl>
      <dt data-md="">ver
      <dd data-md="">
       <p>The version of the TPM specification to which the signature conforms.</p>
      <dt data-md="">alg
      <dd data-md="">
       <p>The name of the algorithm used to generate the attestation signature. The types <code>rsaAlgName</code> and <code>eccAlgNAme</code> are as
defined in <a href="#sec-attestation-data">§5.3.1 Attestation data</a>. The types "ED256" and "ED512" refer to the algorithms specified in <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>.</p>
      <dt data-md="">x5c
      <dd data-md="">
       <p>The AIK certificate used for the attestation and its certificate chain, in X.509 encoding.</p>
      <dt data-md="">ecdaaKeyId
      <dd data-md="">
       <p>The <a data-link-type="dfn" href="#identifier-of-the-ecdaa-issuer-public-key" id="ref-for-identifier-of-the-ecdaa-issuer-public-key-3">identifier of the ECDAA-Issuer public key</a>. This is the
BigNumberToB encoding of the component "c" as defined section 3.3,
step 3.5 in <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>.</p>
      <dt data-md="">sig
      <dd data-md="">
       <p>The attestation signature, in the form of a TPMT_SIGNATURE structure as specified in <a data-link-type="biblio" href="#biblio-tpmv2-part2">[TPMv2-Part2]</a> section 11.3.4.</p>
      <dt data-md="">certInfo
      <dd data-md="">
       <p>The TPMS_ATTEST structure over which the above signature was computed, as specified in <a data-link-type="biblio" href="#biblio-tpmv2-part2">[TPMv2-Part2]</a> section 10.12.8.</p>
      <dt data-md="">pubArea
      <dd data-md="">
       <p>The TPMT_PUBLIC structure (see <a data-link-type="biblio" href="#biblio-tpmv2-part2">[TPMv2-Part2]</a> section 12.2.4) used by the TPM to represent the credential public key.</p>
     </dl>
    <dt data-md="">Signing procedure
    <dd data-md="">
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation-2">authenticator data for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-20">hash of the serialized client data</a>.</p>
     <p>Concatenate <var>authenticatorData</var> and <var>clientDataHash</var> to form <var>attToBeSigned</var>.</p>
     <p>Generate a signature using the procedure specified in <a data-link-type="biblio" href="#biblio-tpmv2-part3">[TPMv2-Part3]</a> Section 18.2, using the attestation private key and
setting the <code>qualifyingData</code> parameter to <var>attToBeSigned</var>.</p>
     <p>Set the <var>pubArea</var> field to the public area of the credential public key, the <var>certInfo</var> field to the output parameter of the
same name, and the <var>sig</var> field to the signature obtained from the above procedure.</p>
    <dt data-md="">Verification procedure
    <dd data-md="">
     <p>Verify that the given attestation statement is valid CBOR conforming to the syntax defined above.</p>
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-claimed-to-have-been-used-for-the-attestation" id="ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-2">authenticator data claimed to have been used for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-21">hash of the serialized client data</a>.</p>
     <p>Verify that the public key specified by the <code>parameters</code> and <code>unique</code> fields of <var>pubArea</var> is identical to the public key
contained in the <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-15">attestation data</a> inside <var>authenticatorData</var>.</p>
     <p>Concatenate <var>authenticatorData</var> and <var>clientDataHash</var> to form <var>attToBeSigned</var>.</p>
     <p>Validate that <var>certInfo</var> is valid:</p>
     <ul>
      <li data-md="">
       <p>Verify that <code>magic</code> is set to <code>TPM_GENERATED_VALUE</code>.</p>
      <li data-md="">
       <p>Verify that <code>type</code> is set to <code>TPM_ST_ATTEST_CERTIFY</code>.</p>
      <li data-md="">
       <p>Verify that <code>extraData</code> is set to <var>attToBeSigned</var>.</p>
      <li data-md="">
       <p>Verify that <code>attested</code> contains a <code>TPMS_CERTIFY_INFO</code> structure, whose <code>name</code> field contains a valid Name for <var>pubArea</var>,
as computed using the algorithm in the <code>nameAlg</code> field of <var>pubArea</var> using the procedure specified in <a data-link-type="biblio" href="#biblio-tpmv2-part1">[TPMv2-Part1]</a> section 16.</p>
     </ul>
     <p>If <var>x5c</var> is present, this indicates that the attestation type is not <a data-link-type="dfn" href="#ecdaa" id="ref-for-ecdaa-7">ECDAA</a>. In this case:</p>
     <ul>
      <li data-md="">
       <p>Verify the <var>sig</var> is a valid signature over <var>certInfo</var> using the attestation public key in <var>x5c</var> with the
algorithm specified in <var>alg</var>.</p>
      <li data-md="">
       <p>Verify that <var>x5c</var> meets the requirements in <a href="#tpm-cert-requirements">§7.3.1 TPM attestation statement certificate requirements</a>.</p>
      <li data-md="">
       <p>If <var>x5c</var> contains an extension with OID <code>1 3 6 1 4 1 45724 1 1 4</code> (id-fido-gen-ce-aaguid) verify that the value of this
extension matches the AAGUID in <var>authenticatorData</var>.</p>
      <li data-md="">
       <p>If successful, return attestation type Privacy CA and trust path <var>x5c</var>.</p>
     </ul>
     <p>If <var>ecdaaKeyId</var> is present, then the attestation type is <a data-link-type="dfn" href="#ecdaa" id="ref-for-ecdaa-8">ECDAA</a>.</p>
     <ul>
      <li data-md="">
       <p>Perform ECDAA-Verify on <var>sig</var> to verify that it is a valid signature over <var>certInfo</var> (see <a data-link-type="biblio" href="#biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]</a>).</p>
      <li data-md="">
       <p>If successful, return attestation type ECDAA and the <a data-link-type="dfn" href="#identifier-of-the-ecdaa-issuer-public-key" id="ref-for-identifier-of-the-ecdaa-issuer-public-key-4">identifier of the ECDAA-Issuer public key</a> <var>ecdaaKeyId</var>.</p>
     </ul>
   </dl>
   <h4 class="heading settled" data-level="7.3.1" id="tpm-cert-requirements"><span class="secno">7.3.1. </span><span class="content">TPM attestation statement certificate requirements</span><a class="self-link" href="#tpm-cert-requirements"></a></h4>
   <p>TPM <a data-link-type="dfn" href="#attestation-certificate" id="ref-for-attestation-certificate-3">attestation certificate</a> MUST have the following fields/extensions:</p>
   <ul>
    <li data-md="">
     <p>Version must be set to 3.</p>
    <li data-md="">
     <p>Subject field MUST be set to empty.</p>
    <li data-md="">
     <p>The Subject Alternative Name extension must be set as defined in <a data-link-type="biblio" href="#biblio-tpmv2-ek-profile">[TPMv2-EK-Profile]</a> section 3.2.9.</p>
    <li data-md="">
     <p>The Extended Key Usage extension MUST contain the
"joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.</p>
    <li data-md="">
     <p>The Basic Constraints extension MUST have the CA component set to false.</p>
    <li data-md="">
     <p>An Authority Information Access (AIA) extension with entry <code>id-ad-ocsp</code> and a CRL Distribution Point extension <a data-link-type="biblio" href="#biblio-rfc5280">[RFC5280]</a> are
both optional as the status of many attestation certificates is available through metadata services.
See, for example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice">[FIDOMetadataService]</a>.</p>
   </ul>
   <h3 class="heading settled" data-level="7.4" id="android-key-attestation"><span class="secno">7.4. </span><span class="content">Android Key Attestation Statement Format</span><a class="self-link" href="#android-key-attestation"></a></h3>
   <p>When the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-35">authenticator</a> in question is a platform-provided Authenticator on the Android "N" or later platform, the
attestation statement is based on the <a href="https://developer.android.com/preview/api-overview.html#key_attestation">Android key attestation</a>. In these cases, the
attestation statement is produced by a component running in a secure operating environment, but the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation-3">authenticator data for the
attestation</a> is produced outside this environment. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-87">Relying Party</a> is expected to check that the <a data-link-type="dfn" href="#authenticator-data-claimed-to-have-been-used-for-the-attestation" id="ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-3">authenticator data claimed to have
been used for the attestation</a> is consistent with the fields of the attestation certificate’s extension data.</p>
   <dl>
    <dt data-md="">Attestation statement format identifier
    <dd data-md="">
     <p>android-key</p>
    <dt data-md="">Attestation types supported
    <dd data-md="">
     <p>Basic</p>
    <dt data-md="">Syntax
    <dd data-md="">
     <p>An Android key attestation statement consists simply of the Android attestation statement, which is a series of
DER encoded X.509 certificates. See <a href="https://developer.android.com/training/articles/security-key-attestation.html">the Android developer documentation</a>. Its
syntax is defined as follows:</p>
<pre>    $$attStmtType //= (
                          fmt: "android-key",
                          attStmt: androidStmtFormat
                      )

    androidStmtFormat = bytes
</pre>
    <dt data-md="">Signing procedure
    <dd data-md="">
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation-4">authenticator data for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-22">hash of the serialized client data</a>.</p>
     <p>Concatenate <var>authenticatorData</var> and <var>clientDataHash</var> to form <var>attToBeSigned</var>.</p>
     <p>Request a Android Key Attestation by calling "keyStore.getCertificateChain(myKeyUUID)") providing <var>attToBeSigned</var> as the
challenge value (e.g., by using <a href="https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder.html#setAttestationChallenge(byte%5B%5D)"> setAttestationChallenge</a>),
and set the attestation statement to the returned value.</p>
    <dt data-md="">Verification procedure
    <dd data-md="">
     <p>Verification is performed as follows:</p>
     <ul>
      <li data-md="">
       <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-claimed-to-have-been-used-for-the-attestation" id="ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-4">authenticator data claimed to have been used for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-23">hash of the serialized client data</a>.</p>
      <li data-md="">
       <p>Verify that the public key in the first certificate in the series of certificates represented by the signature matches the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key-4">credential public key</a> in the <a data-link-type="dfn" href="#attestation-data" id="ref-for-attestation-data-16">attestation data</a> field of <var>authenticatorData</var>.</p>
      <li data-md="">
       <p>Verify that in the attestation certificate extension data:</p>
       <ul>
        <li data-md="">
         <p>The value of the <code>attestationChallenge</code> field is identical to the concatenation of <var>authenticatorData</var> and <var>clientDataHash</var>.</p>
        <li data-md="">
         <p>The <code>AuthorizationList.allApplications</code> field is <em>not</em> present, since PublicKeyCredentials must be bound to the
RP ID.</p>
        <li data-md="">
         <p>The value in the <code>AuthorizationList.origin</code> field is equal to <code>KM_TAG_GENERATED</code>.</p>
        <li data-md="">
         <p>The value in the <code>AuthorizationList.purpose</code> field is equal to <code>KM_PURPOSE_SIGN</code>.</p>
       </ul>
      <li data-md="">
       <p>If successful, return attestation type Basic with the trust path set to the entire attestation statement.</p>
     </ul>
   </dl>
   <h3 class="heading settled" data-level="7.5" id="android-safetynet-attestation"><span class="secno">7.5. </span><span class="content">Android SafetyNet Attestation Statement Format</span><a class="self-link" href="#android-safetynet-attestation"></a></h3>
   <p>When the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-36">authenticator</a> in question is a platform-provided Authenticator on certain Android platforms, the attestation
statement is based on the <a href="https://developer.android.com/training/safetynet/index.html#compat-check-response">SafetyNet API</a>. In
this case the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-31">authenticator data</a> is completely controlled by the caller of the SafetyNet API (typically an application
running on the Android platform) and the attestation statement only provides some statements about the health of the platform
and the identity of the calling application.</p>
   <dl>
    <dt data-md="">Attestation statement format identifier
    <dd data-md="">
     <p>android-safetynet</p>
    <dt data-md="">Attestation types supported
    <dd data-md="">
     <p>Basic</p>
    <dt data-md="">Syntax
    <dd data-md="">
     <p>The syntax of an Android Attestation statement is defined as follows:</p>
<pre>    $$attStmtType //= (
                          fmt: "android-safetynet",
                          attStmt: safetynetStmtFormat
                      )

    safetynetStmtFormat = {
                              ver: text,
                              response: bytes
                          }
</pre>
     <p>The semantics of the above fields are as follows:</p>
     <dl>
      <dt data-md="">ver
      <dd data-md="">
       <p>The version number of Google Play Services responsible for providing the SafetyNet API.</p>
      <dt data-md="">response
      <dd data-md="">
       <p>The value returned by the above SafetyNet API. This value is a JWS <a data-link-type="biblio" href="#biblio-rfc7515">[RFC7515]</a> object (see <a href="https://developer.android.com/training/safetynet/index.html#compat-check-response">SafetyNet online documentation</a>)
in Compact Serialization.</p>
     </dl>
    <dt data-md="">Signing procedure
    <dd data-md="">
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation-5">authenticator data for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-24">hash of the serialized client data</a>.</p>
     <p>Concatenate <var>authenticatorData</var> and <var>clientDataHash</var> to form <var>attToBeSigned</var>.</p>
     <p>Request a SafetyNet attestation, providing <var>attToBeSigned</var> as the nonce value. Set <var>response</var> to the result, and <var>ver</var> to
the version of Google Play Services running in the authenticator.</p>
    <dt data-md="">Verification procedure
    <dd data-md="">
     <p>Verification is performed as follows:</p>
     <ul>
      <li data-md="">
       <p>Verify that the given attestation statement is valid CBOR conforming to the syntax defined above.</p>
      <li data-md="">
       <p>Verify that <var>response</var> is a valid SafetyNet response of version <var>ver</var>.</p>
      <li data-md="">
       <p>Verify that the nonce in the <var>response</var> is identical to the concatenation of the <var>authenticatorData</var> and <var>clientDataHash</var>.</p>
      <li data-md="">
       <p>Verify that the attestation certificate is issued to the hostname "attest.android.com" (see <a href="https://developer.android.com/training/safetynet/index.html#compat-check-response">SafetyNet online documentation</a>).</p>
      <li data-md="">
       <p>Verify that the <code>ctsProfileMatch</code> attribute in the payload of <var>response</var> is true.</p>
      <li data-md="">
       <p>If successful, return attestation type Basic with the trust path set to the above attestation certificate.</p>
     </ul>
   </dl>
   <h3 class="heading settled" data-level="7.6" id="fido-u2f-attestation"><span class="secno">7.6. </span><span class="content">FIDO U2F Attestation Statement Format</span><a class="self-link" href="#fido-u2f-attestation"></a></h3>
   <p>This attestation statement format is used with FIDO U2F authenticators using the formats defined in <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a>.</p>
   <dl>
    <dt data-md="">Attestation statement format identifier
    <dd data-md="">
     <p>fido-u2f</p>
    <dt data-md="">Attestation types supported
    <dd data-md="">
     <p>Basic</p>
    <dt data-md="">Syntax
    <dd data-md="">
     <p>The syntax of a FIDO U2F attestation statement is defined as follows:</p>
<pre>    $$attStmtType //= (
                          fmt: "fido-u2f",
                          attStmt: u2fStmtFormat
                      )

    u2fStmtFormat = {
                        x5c: [ attestnCert: bytes, * (caCert: bytes) ],
                        sig: bytes
                    }
</pre>
     <p>The semantics of the above fields are as follows:</p>
     <dl>
      <dt data-md="">x5c
      <dd data-md="">
       <p>The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format.
The attestation certificate must be the first element in the array.</p>
      <dt data-md="">sig
      <dd data-md="">
       <p>The attestation signature.</p>
     </dl>
    <dt data-md="">Signing procedure
    <dd data-md="">
     <p>If the credential public key of the given credential is not of algorithm "ES256", stop and return an error.</p>
     <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-for-the-attestation" id="ref-for-authenticator-data-for-the-attestation-6">authenticator data for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-25">hash of the serialized client data</a>.</p>
     <p>If <var>clientDataHash</var> is 256 bits long, set <var>tbsHash</var> to this value. Otherwise set <var>tbsHash</var> to the SHA-256 hash of <var>clientDataHash</var>.</p>
     <p>Generate a signature as specified in <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a> section 4.3, with the application parameter set to the
SHA-256 hash of the RP ID associated with the given credential, the challenge parameter set to <var>tbsHash</var>, and the key handle
parameter set to the credential ID of the given credential. Set this as <var>sig</var> and set the attestation certificate of
the attestation public key as <var>x5c</var>.</p>
    <dt data-md="">Verification procedure
    <dd data-md="">
     <p>Verification is performed as follows:</p>
     <ul>
      <li data-md="">
       <p>Verify that the given attestation statement is valid CBOR conforming to the syntax defined above.</p>
      <li data-md="">
       <p>If <var>x5c</var> is not a certificate for an ECDSA public key over the P-256 curve, stop verification and return an error.</p>
      <li data-md="">
       <p>Let <var>authenticatorData</var> denote the <a data-link-type="dfn" href="#authenticator-data-claimed-to-have-been-used-for-the-attestation" id="ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-5">authenticator data claimed to have been used for the attestation</a>, and let <var>clientDataHash</var> denote the <a data-link-type="dfn" href="#collectedclientdata-hash-of-the-serialized-client-data" id="ref-for-collectedclientdata-hash-of-the-serialized-client-data-26">hash of the serialized client data</a>.</p>
      <li data-md="">
       <p>If <var>clientDataHash</var> is 256 bits long, set <var>tbsHash</var> to this value. Otherwise set <var>tbsHash</var> to the SHA-256
hash of <var>clientDataHash</var>.</p>
      <li data-md="">
       <p>From <var>authenticatorData</var>, extract the claimed RP ID hash, the claimed credential ID and the claimed credential public key.</p>
      <li data-md="">
       <p>Generate the claimed to-be-signed data as specified in <a data-link-type="biblio" href="#biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]</a> section 4.3, with the application
parameter set to the claimed RP ID hash, the challenge parameter set to <var>tbsHash</var>, the key handle parameter set to the
claimed credential ID of the given credential, and the user public key parameter set to the claimed credential public
key.</p>
      <li data-md="">
       <p>Verify that the <var>sig</var> is a valid ECDSA P-256 signature over the to-be-signed data constructed above.</p>
      <li data-md="">
       <p>If successful, return attestation type Basic with the trust path set to <var>x5c</var>.</p>
     </ul>
   </dl>
   <h2 class="heading settled" data-level="8" id="extensions"><span class="secno">8. </span><span class="content">WebAuthn Extensions</span><a class="self-link" href="#extensions"></a></h2>
   <p>The mechanism for generating <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-26">public key credentials</a>, as well as requesting and generating Authentication assertions, as
defined in <a href="#api">§4 Web Authentication API</a>, can be extended to suit particular use cases. Each case is addressed by defining a <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="registration extension" data-noexport="" id="registration-extension">registration
extension</dfn> and/or an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authentication-extension">authentication extension</dfn>.</p>
   <p>Every extension is a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="client-extension">client extension</dfn>, meaning that the extension involves communication with and processing by the
client. <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension-4">Client extensions</a> define the following steps and data:</p>
   <ul>
    <li data-md="">
     <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">navigator.credentials.create()</a></code> extension request parameters and response values for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-2">registration extensions</a>.</p>
    <li data-md="">
     <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">navigator.credentials.get()</a></code> extension request parameters and response values for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-2">authentication extensions</a>.</p>
    <li data-md="">
     <p><a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-6">Client extension processing</a> for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-3">registration extensions</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-3">authentication extensions</a>.</p>
   </ul>
   <p>When creating a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-27">public key credential</a> or requesting an <a data-link-type="dfn" href="#authentication-assertion" id="ref-for-authentication-assertion-8">authentication assertion</a>, a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-88">Relying Party</a> can request the use of a set of
extensions. These extensions will be invoked during the requested operation if they are supported by the client and/or the
authenticator. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-89">Relying Party</a> sends the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-1">client extension input</a> for each extension in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> call (for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-4">authentication extensions</a>) or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> call (for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-4">registration extensions</a>) to the client
platform. The client platform performs <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-7">client extension processing</a> for each extension that it supports, and augments the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-9">client data</a> as specified by each extension, by including the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-5">extension identifier</a> and <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-6">client extension output</a> values.</p>
   <p>An extension can also be an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticator-extension">authenticator extension</dfn>, meaning that the extension invoves communication with and
processing by the authenticator. <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-4">Authenticator extensions</a> define the following steps and data:</p>
   <ul>
    <li data-md="">
     <p><a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential-8">authenticatorMakeCredential</a> extension request parameters and response values for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-5">registration extensions</a>.</p>
    <li data-md="">
     <p><a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-11">authenticatorGetAssertion</a> extension request parameters and response values for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-5">authentication extensions</a>.</p>
    <li data-md="">
     <p><a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing-1">Authenticator extension processing</a> for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-6">registration extensions</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-6">authentication extensions</a>.</p>
   </ul>
   <p>For <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-5">authenticator extensions</a>, as part of the <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-8">client extension processing</a>, the client also creates the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-5">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-1">authenticator extension input</a> value for each extension (often based on the corresponding <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-2">client extension input</a> value),
and passes them to the authenticator in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> call (for <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-7">registration extensions</a>) or the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> call (for <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-7">authentication extensions</a>). These <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-2">authenticator extension input</a> values are
represented in <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-6">CBOR</a> and passed as name-value pairs, with the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-6">extension identifier</a> as the name, and the corresponding <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-3">authenticator extension input</a> as the value. The authenticator, in turn, performs additional processing for the extensions
that it supports, and returns the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-7">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-2">authenticator extension output</a> for each as specified by the extension. Part of
the <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-9">client extension processing</a> for <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-6">authenticator extensions</a> is to use the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-3">authenticator extension output</a> as an
input to creating the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-7">client extension output</a>.</p>
   <p>All WebAuthn extensions are optional for both clients and authenticators. Thus, any extensions requested by a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-90">Relying Party</a> may be
ignored by the client browser or OS and not passed to the authenticator at all, or they may be ignored by the authenticator.
Ignoring an extension is never considered a failure in WebAuthn API processing, so when Relying Parties include extensions with any API
calls, they must be prepared to handle cases where some or all of those extensions are ignored.</p>
   <p>Clients wishing to support the widest possible range of extensions may choose to pass through any extensions that they do not
recognize to authenticators, generating the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-4">authenticator extension input</a> by simply encoding the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-3">client extension input</a> in CBOR. All WebAuthn extensions MUST be defined in such a way that this implementation choice does not endanger the user’s
security or privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such
a naïve pass-through will produce a semantically invalid <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-5">authenticator extension input</a> value, resulting in the extension
being ignored by the authenticator. Since all extensions are optional, this will not cause a functional failure in the API
operation. Likewise, clients can choose to produce a <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-8">client extension output</a> value for an extension that it does not
understand by encoding the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-4">authenticator extension output</a> value into JSON, provided that the CBOR output uses only types
present in JSON.</p>
   <p>The IANA "WebAuthn Extension Identifier" registry established by <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a> should be consulted
for an up-to-date list of registered WebAuthn Extensions.</p>
   <h3 class="heading settled" data-level="8.1" id="sctn-extension-id"><span class="secno">8.1. </span><span class="content">Extension Identifiers</span><a class="self-link" href="#sctn-extension-id"></a></h3>
   <p>Extensions are identified by a string, called an <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="extension-identifier">extension identifier</dfn>, chosen by the extension author.</p>
   <p>Extension identifiers SHOULD be registered per <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a> "Registries for Web Authentication (WebAuthn)".
All registered extension identifiers are unique amongst themselves as a matter of course.</p>
   <p>Unregistered extension identifiers should aim to be globally unique, e.g., by including the defining entity such as <code>myCompany_extension</code>.</p>
   <p>All extension identifiers MUST be a maximum of 32 octets in length and MUST consist only of printable USASCII characters,
excluding backslash and doublequote, i.e., VCHAR as defined in <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a> but without %x22 and %x5c. Implementations MUST
match WebAuthn extension identifiers in a case-sensitive fashion.</p>
   <p>Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different
versions are thus treated as different extensions, e.g., <code>myCompany_extension_01</code></p>
   <p><a href="#sctn-defined-extensions">§9 Defined Extensions</a> defines an initial set of extensions and their identifiers.
See the IANA "WebAuthn Extension Identifier" registry established by <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a> for an up-to-date list of registered WebAuthn Extension Identifiers.</p>
   <h3 class="heading settled" data-level="8.2" id="sctn-extension-specification"><span class="secno">8.2. </span><span class="content">Defining extensions</span><a class="self-link" href="#sctn-extension-specification"></a></h3>
   <p>A definition of an extension must specify an <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-7">extension identifier</a>, a <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-4">client extension input</a> argument
to be sent via the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> call,
the <a data-link-type="dfn" href="#client-extension-processing" id="ref-for-client-extension-processing-10">client extension processing</a> rules, and a <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-9">client extension output</a> value.
If the extension communicates with the authenticator (meaning it is an <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-7">authenticator extension</a>),
it must also specify the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-8">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-6">authenticator extension input</a> argument
sent via the <a data-link-type="dfn" href="#authenticatorgetassertion" id="ref-for-authenticatorgetassertion-12">authenticatorGetAssertion</a> or <a data-link-type="dfn" href="#authenticatormakecredential" id="ref-for-authenticatormakecredential-9">authenticatorMakeCredential</a> call,
the <a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing-2">authenticator extension processing</a> rules, and the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-9">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-5">authenticator extension output</a> value.</p>
   <p>Any <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension-5">client extension</a> that is processed by the client MUST return a <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-10">client extension output</a> value so that
the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-91">Relying Party</a> knows that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST
return an <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-6">authenticator extension output</a> to let the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-92">Relying Party</a> know that the extension was honored by the authenticator.
If an extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-11">client extension output</a> result,
set to <code>true</code> to signify that the extension was understood and processed.
Likewise, any <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-8">authenticator extension</a> that does not otherwise require any result values
MUST return a value and
SHOULD return a CBOR Boolean <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-7">authenticator extension output</a> result,
set to <code>true</code> to signify that the extension was understood and processed.</p>
   <h3 class="heading settled" data-level="8.3" id="sctn-extension-request-parameters"><span class="secno">8.3. </span><span class="content">Extending request parameters</span><a class="self-link" href="#sctn-extension-request-parameters"></a></h3>
   <p>An extension defines one or two request arguments. The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="client-extension-input">client extension input</dfn>,
which is a value that can be encoded in JSON, is passed from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-93">Relying Party</a> to the client
in the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> call,
while the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-10">CBOR</a> <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticator-extension-input">authenticator extension input</dfn> is
passed from the client to the authenticator for <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-9">authenticator extensions</a> during the processing of these calls.</p>
   <p>A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-94">Relying Party</a> simultaneously requests the use of an extension and sets its <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-5">client extension input</a> by including an entry in the <code class="idl"><a data-link-type="idl" href="#dom-makecredentialoptions-extensions" id="ref-for-dom-makecredentialoptions-extensions-4">extensions</a></code> option to the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> call.
The entry key is the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-8">extension identifier</a> and the value is the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-6">client extension input</a>.</p>
<pre class="example highlight" id="example-dad64d8a"><a class="self-link" href="#example-dad64d8a"></a><span class="kd">var</span> assertionPromise <span class="o">=</span> navigator<span class="p">.</span>credentials<span class="p">.</span>get<span class="p">(</span><span class="p">{</span>
    publicKey<span class="o">:</span> <span class="p">{</span>
        challenge<span class="o">:</span> <span class="s2">"..."</span><span class="p">,</span>
        extensions<span class="o">:</span> <span class="p">{</span>
            <span class="s2">"webauthnExample_foobar"</span><span class="o">:</span> <span class="mi">42</span>
        <span class="p">}</span>
    <span class="p">}</span>
<span class="p">}</span><span class="p">)</span><span class="p">;</span>
</pre>
   <p>Extension definitions MUST specify the valid values for their <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-7">client extension input</a>. Clients SHOULD ignore extensions with
an invalid <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-8">client extension input</a>. If an extension does not require any parameters from the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-95">Relying Party</a>, it SHOULD be defined as
taking a Boolean client argument, set to <code>true</code> to signify that the extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-96">Relying Party</a>.</p>
   <p>Extensions that only affect client processing need not specify <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-7">authenticator extension input</a>. Extensions that have
authenticator processing MUST specify the method of computing the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-8">authenticator extension input</a> from the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-9">client extension
input</a>. For extensions that do not require input parameters and are defined as taking a Boolean <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-10">client extension input</a> value set to <code>true</code>, this method SHOULD consist of passing an <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-9">authenticator extension input</a> value of <code>true</code> (CBOR major type
7, value 21).</p>
   <p class="note" role="note"><span>Note:</span> Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate
    over low-bandwidth links such as Bluetooth Low-Energy or NFC.</p>
   <h3 class="heading settled" data-level="8.4" id="sctn-client-extension-processing"><span class="secno">8.4. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="client-extension-processing">Client extension processing</dfn></span><a class="self-link" href="#sctn-client-extension-processing"></a></h3>
   <p>Extensions may define additional processing requirements on the client platform during the creation of credentials or the
generation of an assertion. The <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-11">client extension input</a> for the extension is used an input to this client processing.
Supported <a data-link-type="dfn" href="#client-extension" id="ref-for-client-extension-6">client extensions</a> are recorded as a dictionary in the <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-10">client data</a> with the key <code class="idl"><a data-link-type="idl" href="#dom-collectedclientdata-clientextensions" id="ref-for-dom-collectedclientdata-clientextensions-6">clientExtensions</a></code>. For each such extension, the client adds an entry to this dictionary with the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-9">extension identifier</a> as the key, and the extension’s <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-12">client extension input</a> as the value.</p>
   <p>Likewise, the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-12">client extension outputs</a> are represented as a dictionary in the <code class="idl"><a data-link-type="idl" href="#dom-publickeycredential-clientextensionresults" id="ref-for-dom-publickeycredential-clientextensionresults-4">clientExtensionResults</a></code> with <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-10">extension identifiers</a> as keys, and the <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="client-extension-output">client extension output</dfn> value of each extension as the value.
Like the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-13">client extension input</a>, the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-13">client extension output</a> is a value that can be encoded in JSON.</p>
   <p>Extensions that require authenticator processing MUST define
the process by which the <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-14">client extension input</a> can be used to determine the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-11">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-10">authenticator extension input</a> and
the process by which the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-12">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-8">authenticator extension output</a> can be used to determine the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-14">client extension output</a>.</p>
   <h3 class="heading settled" data-level="8.5" id="sctn-authenticator-extension-processing"><span class="secno">8.5. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticator-extension-processing">Authenticator extension processing</dfn></span><a class="self-link" href="#sctn-authenticator-extension-processing"></a></h3>
   <p>As specified in <a href="#sec-authenticator-data">§5.1 Authenticator data</a>, the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-13">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-11">authenticator extension input</a> value of each processed <a data-link-type="dfn" href="#authenticator-extension" id="ref-for-authenticator-extension-10">authenticator extension</a> is included in the extensions data part of the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-32">authenticator data</a>. This part is a CBOR map, with <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-14">CBOR</a> <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-11">extension identifier</a> values as keys, and the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-15">CBOR</a> <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-12">authenticator extension input</a> value of each extension as
the value.</p>
   <p>Likewise, the extension output is represented in the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-33">authenticator data</a> as a CBOR map with <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-16">CBOR</a> <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-12">extension
identifiers</a> as keys, and the <a data-link-type="dfn" href="#cbor" id="ref-for-cbor-17">CBOR</a> <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="authenticator-extension-output">authenticator extension output</dfn> value of each extension as the value.</p>
   <p>The <a data-link-type="dfn" href="#authenticator-extension-processing" id="ref-for-authenticator-extension-processing-3">authenticator extension processing</a> rules are used create the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-9">authenticator extension output</a> from the <a data-link-type="dfn" href="#authenticator-extension-input" id="ref-for-authenticator-extension-input-13">authenticator extension input</a>, and possibly also other inputs, for each extension.</p>
   <h3 class="heading settled" data-level="8.6" id="sctn-example-extension"><span class="secno">8.6. </span><span class="content">Example Extension</span><a class="self-link" href="#sctn-example-extension"></a></h3>
   <p><em>This section is not normative.</em></p>
   <p>To illustrate the requirements above, consider a hypothetical <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-8">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-8">authentication extension</a> "Geo".
This extension, if supported, enables a geolocation location to be returned from the authenticator or client to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-97">Relying Party</a>.</p>
   <p>The <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-13">extension identifier</a> is chosen as <code>webauthnExample_geo</code>. The <a data-link-type="dfn" href="#client-extension-input" id="ref-for-client-extension-input-15">client extension input</a> is the constant value <code>true</code>,
since the extension does not require the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-98">Relying Party</a> to pass any particular information to the client, other than that it requests
the use of the extension. The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-99">Relying Party</a> sets this value in its request for an assertion:</p>
<pre class="highlight"><span class="kd">var</span> assertionPromise <span class="o">=</span>
    navigator<span class="p">.</span>credentials<span class="p">.</span>get<span class="p">(</span><span class="p">{</span>
        publicKey<span class="o">:</span> <span class="p">{</span>
            challenge<span class="o">:</span> <span class="s2">"SGFuIFNvbG8gc2hvdCBmaXJzdC4"</span><span class="p">,</span>
            allowList<span class="o">:</span> <span class="p">[</span><span class="p">]</span><span class="p">,</span> <span class="cm">/* Empty filter */</span>
            extensions<span class="o">:</span> <span class="p">{</span> <span class="s1">'webauthnExample_geo'</span><span class="o">:</span> <span class="kc">true</span> <span class="p">}</span>
        <span class="p">}</span>
    <span class="p">}</span><span class="p">)</span><span class="p">;</span>
</pre>
   <p>The extension also requires the client to set the authenticator parameter to the fixed value <code>true</code>.</p>
   <p>The extension requires the authenticator to specify its geolocation in the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-10">authenticator extension output</a>, if known. The
extension e.g. specifies that the location shall be encoded as a two-element array of floating point numbers, encoded with CBOR.
An authenticator does this by including it in the <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-34">authenticator data</a>. As an example, <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-35">authenticator data</a> may be as
follows (notation taken from <a data-link-type="biblio" href="#biblio-rfc7049">[RFC7049]</a>):</p>
<pre>81 (hex)                                    -- Flags, ED and TUP both set.
20 05 58 1F                                 -- Signature counter
A1                                          -- CBOR map of one element
    73                                      -- Key 1: CBOR text string of 19 bytes
        77 65 62 61 75 74 68 6E 45 78 61
        6D 70 6C 65 5F 67 65 6F             -- "webauthnExample_geo" [=UTF-8 encoded=] string
    82                                      -- Value 1: CBOR array of two elements
        FA 42 82 1E B3                      -- Element 1: Latitude as CBOR encoded float
        FA C1 5F E3 7F                      -- Element 2: Longitude as CBOR encoded float
</pre>
   <p>The extension defines the <a data-link-type="dfn" href="#client-extension-output" id="ref-for-client-extension-output-15">client extension output</a> to be the geolocation information, if known, as a GeoJSON <a data-link-type="biblio" href="#biblio-geojson">[GeoJSON]</a> point. The client constructs the following <a data-link-type="dfn" href="#client-data" id="ref-for-client-data-11">client data</a>:</p>
<pre class="highlight"><span class="p">{</span>
    <span class="p">...</span><span class="p">,</span>
    <span class="s1">'extensions'</span><span class="o">:</span> <span class="p">{</span>
        <span class="s1">'webauthnExample_geo'</span><span class="o">:</span> <span class="p">{</span>
            <span class="s1">'type'</span><span class="o">:</span> <span class="s1">'Point'</span><span class="p">,</span>
            <span class="s1">'coordinates'</span><span class="o">:</span> <span class="p">[</span><span class="mf">65.059962</span><span class="p">,</span> <span class="o">-</span><span class="mf">13.993041</span><span class="p">]</span>
        <span class="p">}</span>
    <span class="p">}</span>
<span class="p">}</span>
</pre>
   <h2 class="heading settled" data-level="9" id="sctn-defined-extensions"><span class="secno">9. </span><span class="content">Defined Extensions</span><a class="self-link" href="#sctn-defined-extensions"></a></h2>
   <p>This section defines the initial set of extensions to be registered in the
IANA "WebAuthn Extension Identifier" registry established by <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a>.
These are recommended for implementation by user agents targeting broad interoperability.</p>
   <h3 class="heading settled" data-level="9.1" id="sctn-appid-extension"><span class="secno">9.1. </span><span class="content">FIDO AppId Extension (appid)</span><a class="self-link" href="#sctn-appid-extension"></a></h3>
   <p>This <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-9">authentication extension</a> allows Relying Parties that have previously registered a
credential using the legacy FIDO JavaScript APIs to request an assertion.
Specifically, this extension allows Relying Parties to specify an <var>appId</var> <a data-link-type="biblio" href="#biblio-fido-appid">[FIDO-APPID]</a> to overwrite the otherwise computed <var>rpId</var>.  This extension is only valid if
used during the <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a></code> call; other usage will result in client
error.</p>
   <dl>
    <dt data-md="">Extension identifier
    <dd data-md="">
     <p><code>appid</code></p>
    <dt data-md="">Client extension input
    <dd data-md="">
     <p>A single JSON string specifying a FIDO <var>appId</var>.</p>
    <dt data-md="">Client extension processing
    <dd data-md="">
     <p>If <code class="idl"><a data-link-type="idl" href="#dom-publickeycredentialrequestoptions-rpid" id="ref-for-dom-publickeycredentialrequestoptions-rpid-5">rpId</a></code> is present, reject promise with a DOMException
whose name is "<code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#notallowederror">NotAllowedError</a></code>", and terminate this algorithm.
Replace the calculation of <var>rpId</var> in Step 3 of <a href="#getAssertion">§4.1.4 Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> with the
following procedure:  The client uses the value of <var>appid</var> to perform
the AppId validation procedure (as defined by <a data-link-type="biblio" href="#biblio-fido-appid">[FIDO-APPID]</a>).  If valid,
the value of <var>rpId</var> for all client processing should be replaced by the
value of <var>appid</var>.</p>
    <dt data-md="">Client extension output
    <dd data-md="">
     <p>Returns the JSON value <code>true</code> to indicate to the RP that the extension was acted upon</p>
    <dt data-md="">Authenticator extension input
    <dd data-md="">
     <p>None.</p>
    <dt data-md="">Authenticator extension processing
    <dd data-md="">
     <p>None.</p>
    <dt data-md="">Authenticator extension output
    <dd data-md="">
     <p>None.</p>
   </dl>
   <h3 class="heading settled" data-level="9.2" id="sctn-simple-txauth-extension"><span class="secno">9.2. </span><span class="content">Simple Transaction Authorization Extension (txAuthSimple)</span><a class="self-link" href="#sctn-simple-txauth-extension"></a></h3>
   <p>This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-9">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-10">authentication extension</a> allows for a simple form of transaction authorization. A <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-100">Relying Party</a> can specify a prompt string, intended for display on a trusted device on the authenticator.</p>
   <dl>
    <dt data-md="">Extension identifier
    <dd data-md="">
     <p><code>txAuthSimple</code></p>
    <dt data-md="">Client extension input
    <dd data-md="">
     <p>A single JSON string prompt.</p>
    <dt data-md="">Client extension processing
    <dd data-md="">
     <p>None, except creating the authenticator extension input from the client extension input.</p>
    <dt data-md="">Client extension output
    <dd data-md="">
     <p>Returns the authenticator extension output string UTF-8 decoded into a JSON string</p>
    <dt data-md="">Authenticator extension input
    <dd data-md="">
     <p>The client extension input encoded as a CBOR text string (major type 3).</p>
    <dt data-md="">Authenticator extension processing
    <dd data-md="">
     <p>The authenticator MUST display the prompt to the user before performing either <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-9">user verification</a> or <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence-4">test of user
presence</a>. The authenticator may insert line breaks if needed.</p>
    <dt data-md="">Authenticator extension output
    <dd data-md="">
     <p>A single CBOR string, representing the prompt as displayed (including any eventual line breaks).</p>
   </dl>
   <h3 class="heading settled" data-level="9.3" id="sctn-generic-txauth-extension"><span class="secno">9.3. </span><span class="content">Generic Transaction Authorization Extension (txAuthGeneric)</span><a class="self-link" href="#sctn-generic-txauth-extension"></a></h3>
   <p>This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-10">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-11">authentication extension</a> allows images to be used as transaction authorization prompts
as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance.</p>
   <dl>
    <dt data-md="">Extension identifier
    <dd data-md="">
     <p><code>txAuthGeneric</code></p>
    <dt data-md="">Client extension input
    <dd data-md="">
     <p>A CBOR map defined as follows:</p>
<pre>    txAuthGenericArg = {
                           contentType: text,   ; MIME-Type of the content, e.g. "image/png"
                           content: bytes
                       }
</pre>
    <dt data-md="">Client extension processing
    <dd data-md="">
     <p>None, except creating the authenticator extension input from the client extension input.</p>
    <dt data-md="">Client extension output
    <dd data-md="">
     <p>Returns the base64url encoding of the authenticator extension output value as a JSON string</p>
    <dt data-md="">Authenticator extension input
    <dd data-md="">
     <p>The client extension input encoded as a CBOR map.</p>
    <dt data-md="">Authenticator extension processing
    <dd data-md="">
     <p>The authenticator MUST display the <code>content</code> to the user before performing either <a data-link-type="dfn" href="#user-verification" id="ref-for-user-verification-10">user verification</a> or <a data-link-type="dfn" href="#test-of-user-presence" id="ref-for-test-of-user-presence-5">test of
user presence</a>. The authenticator may add other information below the <code>content</code>. No changes are allowed to the <code>content</code> itself, i.e., inside <code>content</code> boundary box.</p>
    <dt data-md="">Authenticator extension output
    <dd data-md="">
     <p>The hash value of the <code>content</code> which was displayed. The authenticator MUST use the same hash algorithm as it uses for the
signature itself.</p>
   </dl>
   <h3 class="heading settled" data-level="9.4" id="sctn-authenticator-selection-extension"><span class="secno">9.4. </span><span class="content">Authenticator Selection Extension (authnSel)</span><a class="self-link" href="#sctn-authenticator-selection-extension"></a></h3>
   <p>This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-11">registration extension</a> allows a <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-101">Relying Party</a> to guide the selection of the authenticator that will be leveraged when creating
the credential. It is intended primarily for Relying Parties that wish to tightly control the experience around credential creation.</p>
   <dl>
    <dt data-md="">Extension identifier
    <dd data-md="">
     <p><code>authnSel</code></p>
    <dt data-md="">Client extension input
    <dd data-md="">
     <p>A sequence of AAGUIDs:</p>
<pre class="idl highlight def"><span class="kt">typedef</span> <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#typedefdef-aaguid" id="ref-for-typedefdef-aaguid-1">AAGUID</a>> <dfn class="nv dfn-paneled idl-code" data-dfn-type="typedef" data-export="" id="typedefdef-authenticatorselectionlist">AuthenticatorSelectionList</dfn>;
</pre>
     <p>Each AAGUID corresponds to an authenticator model that is acceptable to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-102">Relying Party</a> for this credential creation. The
list is ordered by decreasing preference.</p>
     <p>An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.</p>
<pre class="idl highlight def"><span class="kt">typedef</span> <a class="n" data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a> <dfn class="nv dfn-paneled idl-code" data-dfn-type="typedef" data-export="" id="typedefdef-aaguid">AAGUID</dfn>;
</pre>
    <dt data-md="">Client extension processing
    <dd data-md="">
     <p>This extension can only be used during <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a></code>. If the client supports the Authenticator Selection
Extension, it MUST use the first available authenticator whose AAGUID is present in the <code class="idl"><a data-link-type="idl" href="#typedefdef-authenticatorselectionlist" id="ref-for-typedefdef-authenticatorselectionlist-1">AuthenticatorSelectionList</a></code>. If
none of the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the
available authenticators to generate the credential.</p>
    <dt data-md="">Client extension output
    <dd data-md="">
     <p>Returns the JSON value <code>true</code> to indicate to the RP that the extension was acted upon</p>
    <dt data-md="">Authenticator extension input
    <dd data-md="">
     <p>None.</p>
    <dt data-md="">Authenticator extension processing
    <dd data-md="">
     <p>None.</p>
    <dt data-md="">Authenticator extension output
    <dd data-md="">
     <p>None.</p>
   </dl>
   <h3 class="heading settled" data-level="9.5" id="sctn-supported-extensions-extension"><span class="secno">9.5. </span><span class="content">Supported Extensions Extension (exts)</span><a class="self-link" href="#sctn-supported-extensions-extension"></a></h3>
   <p>This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-12">registration extension</a> enables the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-103">Relying Party</a> to determine which extensions the authenticator supports.</p>
   <dl>
    <dt data-md="">Extension identifier
    <dd data-md="">
     <p><code>exts</code></p>
    <dt data-md="">Client extension input
    <dd data-md="">
     <p>The Boolean value <code>true</code> to indicate that this extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-104">Relying Party</a>.</p>
    <dt data-md="">Client extension processing
    <dd data-md="">
     <p>None, except creating the authenticator extension input from the client extension input.</p>
    <dt data-md="">Client extension output
    <dd data-md="">
     <p>Returns the list of supported extensions as a JSON array of <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-14">extension identifier</a> strings</p>
    <dt data-md="">Authenticator extension input
    <dd data-md="">
     <p>The Boolean value <code>true</code>, encoded in CBOR (major type 7, value 21).</p>
    <dt data-md="">Authenticator extension processing
    <dd data-md="">
     <p>The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-37">authenticator</a> sets the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-11">authenticator extension output</a> to be a list of extensions that the authenticator supports, as
defined below. This extension can be added to attestation objects.</p>
    <dt data-md="">Authenticator extension output
    <dd data-md="">
     <p>The SupportedExtensions extension is a list (CBOR array) of <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-15">extension identifier</a> (<a data-link-type="dfn" href="https://encoding.spec.whatwg.org/#utf-8-encode">UTF-8 encoded</a> strings).</p>
   </dl>
   <h3 class="heading settled" data-level="9.6" id="sctn-uvi-extension"><span class="secno">9.6. </span><span class="content">User Verification Index Extension (uvi)</span><a class="self-link" href="#sctn-uvi-extension"></a></h3>
   <p>This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-13">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-12">authentication extension</a> enables use of a user verification index.</p>
   <dl>
    <dt data-md="">Extension identifier
    <dd data-md="">
     <p><code>uvi</code></p>
    <dt data-md="">Client extension input
    <dd data-md="">
     <p>The Boolean value <code>true</code> to indicate that this extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-105">Relying Party</a>.</p>
    <dt data-md="">Client extension processing
    <dd data-md="">
     <p>None, except creating the authenticator extension input from the client extension input.</p>
    <dt data-md="">Client extension output
    <dd data-md="">
     <p>Returns a JSON string containing the base64url encoding of the authenticator extension output</p>
    <dt data-md="">Authenticator extension input
    <dd data-md="">
     <p>The Boolean value <code>true</code>, encoded in CBOR (major type 7, value 21).</p>
    <dt data-md="">Authenticator extension processing
    <dd data-md="">
     <p>The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-38">authenticator</a> sets the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-12">authenticator extension output</a> to be a user verification index indicating the method used
by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.</p>
    <dt data-md="">Authenticator extension output
    <dd data-md="">
     <p>The user verification index (UVI) is a value uniquely identifying a user verification data record. The UVI is encoded as CBOR
byte string (type 0x58). Each UVI value MUST be specific to the related key (in order to provide unlinkability). It also
must contain sufficient entropy that makes guessing impractical. UVI values MUST NOT be reused by the Authenticator (for
other biometric data or users).</p>
     <p>The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data
as the initial key generation. This allows the detection and prevention of "friendly fraud".</p>
     <p>As an example, the UVI could be computed as SHA256(KeyID | SHA256(rawUVI)), where the rawUVI reflects (a) the biometric
reference data, (b) the related OS level user ID and (c) an identifier which changes whenever a factory reset is performed
for the device, e.g. rawUVI = biometricReferenceData | OSLevelUserID | FactoryResetCounter.</p>
     <p>Servers supporting UVI extensions MUST support a length of up to 32 bytes for the UVI value.</p>
     <p>Example for <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-36">authenticator data</a> containing one UVI extension</p>
<pre>...                                         -- RP ID hash (32 bytes)
81                                          -- TUP and ED set
00 00 00 01                                 -- (initial) signature counter
...                                         -- all public key alg etc.
A1                                          -- extension: CBOR map of one element
    63                                      -- Key 1: CBOR text string of 3 bytes
        75 76 69                            -- "uvi" [=UTF-8 encoded=] string
    58 20                                   -- Value 1: CBOR byte string with 0x20 bytes
        00 43 B8 E3 BE 27 95 8C             -- the UVI value itself
        28 D5 74 BF 46 8A 85 CF
        46 9A 14 F0 E5 16 69 31
        DA 4B CF FF C1 BB 11 32
        82
</pre>
   </dl>
   <h3 class="heading settled" data-level="9.7" id="sctn-location-extension"><span class="secno">9.7. </span><span class="content">Location Extension (loc)</span><a class="self-link" href="#sctn-location-extension"></a></h3>
   <p>The location <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-14">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-13">authentication extension</a> provides the client device’s current location to the
WebAuthn relying party.</p>
   <dl>
    <dt data-md="">Extension identifier
    <dd data-md="">
     <p><code>loc</code></p>
    <dt data-md="">Client extension input
    <dd data-md="">
     <p>The Boolean value <code>true</code> to indicate that this extension is requested by the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-106">Relying Party</a>.</p>
    <dt data-md="">Client extension processing
    <dd data-md="">
     <p>None, except creating the authenticator extension input from the client extension input.</p>
    <dt data-md="">Client extension output
    <dd data-md="">
     <p>Returns a JSON object that encodes the location information in the authenticator extension output as a Coordinates value,
as defined by <a href="https://dev.w3.org/geo/api/spec-source.html#coordinates_interface">The W3C Geolocation API Specification</a>.</p>
    <dt data-md="">Authenticator extension input
    <dd data-md="">
     <p>The Boolean value <code>true</code>, encoded in CBOR (major type 7, value 21).</p>
    <dt data-md="">Authenticator extension processing
    <dd data-md="">
     <p>If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-39">authenticator</a> does not support the extension, then the authenticator MUST ignore the extension request.
If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-40">authenticator</a> accepts the extension, then the authenticator SHOULD only add this extension data to a packed
attestation or assertion.</p>
    <dt data-md="">Authenticator extension output
    <dd data-md="">
     <p>If the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-41">authenticator</a> accepts the extension request, then <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-13">authenticator extension output</a> SHOULD provide location data
in the form of a CBOR-encoded map, with the first value being the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-16">extension identifier</a> and the second being an array of
returned values. The array elements SHOULD be derived from (key,value) pairings for each location attribute that the <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-42">authenticator</a> supports. The following is an example of <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-37">authenticator data</a> where the returned array is comprised of a
{longitude, latitude, altitude} triplet, following the coordinate representation defined in <a href="https://dev.w3.org/geo/api/spec-source.html#coordinates_interface">The W3C Geolocation API
Specification</a>.</p>
<pre>...                                         -- RP ID hash (32 bytes)
81                                          -- TUP and ED set
00 00 00 01                                 -- (initial) signature counter
...                                         -- all public key alg etc.
A1                                          -- extension: CBOR map of one element
    63                                      -- Value 1: CBOR text string of 3 bytes
        6C 6F 63                            -- "loc" [=UTF-8 encoded=] string
    86                                      -- Value 2: array of 6 elements
        68                  -- Element 1:  CBOR text string of 8 bytes
           6C 61 74 69 74 75 64 65          -- “latitude” [=UTF-8 encoded=] string
        FB ...                  -- Element 2:  Latitude as CBOR encoded double-precision float
        69                  -- Element 3:  CBOR text string of 9 bytes
           6C 6F 6E 67 69 74 75 64 65       -- “longitude” [=UTF-8 encoded=] string
        FB ...                  -- Element 4:  Longitude as CBOR encoded double-precision float
        68                  -- Element 5:  CBOR text string of 8 bytes
          61 6C 74 69 74 75 64 65           -- “altitude” [=UTF-8 encoded=] string
        FB ...                  -- Element 6:  Altitude as CBOR encoded double-precision float
</pre>
   </dl>
   <h3 class="heading settled" data-level="9.8" id="sctn-uvm-extension"><span class="secno">9.8. </span><span class="content">User Verification Method Extension (uvm)</span><a class="self-link" href="#sctn-uvm-extension"></a></h3>
   <p>This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-15">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-14">authentication extension</a> enables use of a user verification method.</p>
   <dl>
    <dt data-md="">Extension identifier
    <dd data-md="">
     <p><code>uvm</code></p>
    <dt data-md="">Client extension input
    <dd data-md="">
     <p>The Boolean value true to indicate that this extension is requested by the WebAuthn Relying Party.</p>
    <dt data-md="">Client extension processing
    <dd data-md="">
     <p>None, except creating the authenticator extension input from the client extension input.</p>
    <dt data-md="">Client extension output
    <dd data-md="">
     <p>Returns a JSON array of 3-element arrays of numbers that encodes the factors in the authenticator extension output</p>
    <dt data-md="">Authenticator extension input
    <dd data-md="">
     <p>The Boolean value <code>true</code>, encoded in CBOR (major type 7, value 21).</p>
    <dt data-md="">Authenticator extension processing
    <dd data-md="">
     <p>The <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-43">authenticator</a> sets the <a data-link-type="dfn" href="#authenticator-extension-output" id="ref-for-authenticator-extension-output-14">authenticator extension output</a> to be a user verification index indicating the method used
by the user to authorize the operation, as defined below. This extension can be added to attestation objects and assertions.</p>
    <dt data-md="">Authenticator extension output
    <dd data-md="">
     <p>Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance,
using the CBOR syntax defined below:</p>
<pre>    uvmFormat = [ 1*3 uvmEntry ]
    uvmEntry = [
                   userVerificationMethod: uint .size 4,
                   keyProtectionType: uint .size 2,
                   matcherProtectionType: uint .size 2
               ]
</pre>
     <p>The semantics of the fields in each <code>uvmEntry</code> are as follows:</p>
     <dl>
      <dt data-md="">userVerificationMethod
      <dd data-md="">
       <p>The authentication method/factor used by the authenticator to verify the user. Available values are defined in <a data-link-type="biblio" href="#biblio-fidoreg">[FIDOReg]</a>, "User Verification Methods" section.</p>
      <dt data-md="">keyProtectionType
      <dd data-md="">
       <p>The method used by the authenticator to protect the FIDO registration private key material. Available values are defined
in <a data-link-type="biblio" href="#biblio-fidoreg">[FIDOReg]</a>, "Key Protection Types" section.</p>
      <dt data-md="">matcherProtectionType
      <dd data-md="">
       <p>The method used by the authenticator to protect the matcher that performs user verification. Available values are defined
in <a data-link-type="biblio" href="#biblio-fidoreg">[FIDOReg]</a>, "Matcher Protection Types" section.</p>
     </dl>
     <p>If >3 factors can be used in an authentication instance the authenticator vendor must select the 3 factors it believes
will be most relevant to the Server to include in the UVM.</p>
     <p>Example for <a data-link-type="dfn" href="#authenticator-data" id="ref-for-authenticator-data-38">authenticator data</a> containing one UVM extension for a multi-factor authentication instance where 2 factors
were used:</p>
<pre>...                    -- RP ID hash (32 bytes)
81                     -- TUP and ED set
00 00 00 01            -- (initial) signature counter
...                    -- all public key alg etc.
A1                     -- extension: CBOR map of one element
    63                 -- Key 1: CBOR text string of 3 bytes
        75 76 6d       -- "uvm" [=UTF-8 encoded=] string
    82                 -- Value 1: CBOR array of length 2 indicating two factor usage
        83              -- Item 1: CBOR array of length 3
            02           -- Subitem 1: CBOR integer for User Verification Method Fingerprint
            04           -- Subitem 2: CBOR short for Key Protection Type TEE
            02           -- Subitem 3: CBOR short for Matcher Protection Type TEE
        83              -- Item 2: CBOR array of length 3
            04           -- Subitem 1: CBOR integer for User Verification Method Passcode
            01           -- Subitem 2: CBOR short for Key Protection Type Software
            01           -- Subitem 3: CBOR short for Matcher Protection Type Software
</pre>
   </dl>
   <h2 class="heading settled" data-level="10" id="sctn-IANA"><span class="secno">10. </span><span class="content">IANA Considerations</span><a class="self-link" href="#sctn-IANA"></a></h2>
   <h3 class="heading settled" data-level="10.1" id="sctn-att-fmt-reg"><span class="secno">10.1. </span><span class="content">WebAuthn Attestation Statement Format Identifier Registrations</span><a class="self-link" href="#sctn-att-fmt-reg"></a></h3>
   <p>This section registers the attestation statement formats defined in Section <a href="#defined-attestation-formats">§7 Defined Attestation Statement Formats</a> in the
IANA "WebAuthn Attestation Statement Format Identifier" registry established by <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a>.</p>
   <ul>
    <li data-md="">
     <p>WebAuthn Attestation Statement Format Identifier: packed</p>
    <li data-md="">
     <p>Description: The "packed" attestation statement format is a WebAuthn-optimized format for attestation data. It uses a very
compact but still extensible encoding method. This format is implementable by authenticators with limited resources (e.g.,
secure elements).</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#packed-attestation">§7.2 Packed Attestation Statement Format</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Attestation Statement Format Identifier: tpm</p>
    <li data-md="">
     <p>Description: The TPM attestation statement format returns an attestation statement in the same format as the packed
attestation statement format, although the the rawData and signature fields are computed differently.</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#tpm-attestation">§7.3 TPM Attestation Statement Format</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Attestation Statement Format Identifier: android-key</p>
    <li data-md="">
     <p>Description: Platform-provided authenticators based on Android versions "N", and later, may provide this proprietary "hardware
attestation" statement.</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#android-key-attestation">§7.4 Android Key Attestation Statement Format</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Attestation Statement Format Identifier: android-safetynet</p>
    <li data-md="">
     <p>Description: Android-based, platform-provided authenticators may produce an attestation statement based on the Android
SafetyNet API.</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#android-safetynet-attestation">§7.5 Android SafetyNet Attestation Statement Format</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Attestation Statement Format Identifier: fido-u2f</p>
    <li data-md="">
     <p>Description: Used with FIDO U2F authenticators</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#fido-u2f-attestation">§7.6 FIDO U2F Attestation Statement Format</a> of this specification</p>
   </ul>
   <h3 class="heading settled" data-level="10.2" id="sctn-extensions-reg"><span class="secno">10.2. </span><span class="content">WebAuthn Extension Identifier Registrations</span><a class="self-link" href="#sctn-extensions-reg"></a></h3>
   <p>This section registers the <a data-link-type="dfn" href="#extension-identifier" id="ref-for-extension-identifier-17">extension identifier</a> values defined in Section <a href="#extensions">§8 WebAuthn Extensions</a> in the
IANA "WebAuthn Extension Identifier" registry established by <a data-link-type="biblio" href="#biblio-webauthn-registries">[WebAuthn-Registries]</a>.</p>
   <ul>
    <li data-md="">
     <p>WebAuthn Extension Identifier: appid</p>
    <li data-md="">
     <p>Description: This <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-15">authentication extension</a> allows Relying Parties that have previously registered a credential using the legacy FIDO
JavaScript APIs to request an assertion.</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#sctn-appid-extension">§9.1 FIDO AppId Extension (appid)</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Extension Identifier: txAuthSimple</p>
    <li data-md="">
     <p>Description: This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-16">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-16">authentication extension</a> allows for a simple form of transaction
authorization. A WebAuthn Relying Party can specify a prompt string, intended for display on a trusted device on the
authenticator</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#sctn-simple-txauth-extension">§9.2 Simple Transaction Authorization Extension (txAuthSimple)</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Extension Identifier: txAuthGeneric</p>
    <li data-md="">
     <p>Description: This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-17">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-17">authentication extension</a> allows images to be used as transaction
authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a
richer visual appearance than accomplished with the webauthn.txauth.simple extension.</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#sctn-generic-txauth-extension">§9.3 Generic Transaction Authorization Extension (txAuthGeneric)</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Extension Identifier: authnSel</p>
    <li data-md="">
     <p>Description: This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-18">registration extension</a> allows a WebAuthn Relying Party to guide the selection of the authenticator that
will be leveraged when creating the credential. It is intended primarily for WebAuthn Relying Parties that wish to tightly
control the experience around credential creation.</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#sctn-authenticator-selection-extension">§9.4 Authenticator Selection Extension (authnSel)</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Extension Identifier: exts</p>
    <li data-md="">
     <p>Description: This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-19">registration extension</a> enables the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-107">Relying Party</a> to determine which extensions the authenticator supports. The
extension data is a list (CBOR array) of extension identifiers encoded as UTF-8 Strings. This extension is added
automatically by the authenticator. This extension can be added to attestation statements.</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#sctn-supported-extensions-extension">§9.5 Supported Extensions Extension (exts)</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Extension Identifier: uvi</p>
    <li data-md="">
     <p>Description: This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-20">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-18">authentication extension</a> enables use of a user verification index. The
user verification index is a value uniquely identifying a user verification data record. The UVI data can be used by servers
to understand whether an authentication was authorized by the exact same biometric data as the initial key generation. This
allows the detection and prevention of "friendly fraud".</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#sctn-uvi-extension">§9.6 User Verification Index Extension (uvi)</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Extension Identifier: loc</p>
    <li data-md="">
     <p>Description: The location <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-21">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-19">authentication extension</a> provides the client device’s current
location to the WebAuthn relying party, if supported by the client device and subject to user consent.</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#sctn-location-extension">§9.7 Location Extension (loc)</a> of this specification <br><br></p>
    <li data-md="">
     <p>WebAuthn Extension Identifier: uvm</p>
    <li data-md="">
     <p>Description: This <a data-link-type="dfn" href="#registration-extension" id="ref-for-registration-extension-22">registration extension</a> and <a data-link-type="dfn" href="#authentication-extension" id="ref-for-authentication-extension-20">authentication extension</a> enables use of a user verification method.
The user verification method extension returns to the Webauthn relying party which user verification methods (factors) were
used for the WebAuthn operation.</p>
    <li data-md="">
     <p>Specification Document: Section <a href="#sctn-uvm-extension">§9.8 User Verification Method Extension (uvm)</a> of this specification</p>
   </ul>
   <h2 class="heading settled" data-level="11" id="sample-scenarios"><span class="secno">11. </span><span class="content">Sample scenarios</span><a class="self-link" href="#sample-scenarios"></a></h2>
   <p><em>This section is not normative.</em></p>
   <p>In this section, we walk through some events in the lifecycle of a <a data-link-type="dfn" href="#public-key-credential" id="ref-for-public-key-credential-28">public key credential</a>, along with the corresponding
sample code for using this API. Note that this is an example flow, and does not limit the scope of how the API can be used.</p>
   <p>As was the case in earlier sections, this flow focuses on a use case involving an external first-factor <a data-link-type="dfn" href="#authenticator" id="ref-for-authenticator-44">authenticator</a> with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported
by this API, subject to implementation by the platform. For instance, this flow also works without modification for the case of
an authenticator that is embedded in the client platform. The flow also works for the case of an authenticator without
its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the client platform
needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the client
platform to enumerate all the authenticator’s credentials so that the client can have information to show appropriate prompts.</p>
   <h3 class="heading settled" data-level="11.1" id="sample-registration"><span class="secno">11.1. </span><span class="content">Registration</span><a class="self-link" href="#sample-registration"></a></h3>
   <p>This is the first-time flow, in which a new credential is created and registered with the server.</p>
   <ol>
    <li data-md="">
     <p>The user visits example.com, which serves up a script. At this point, the user must already be logged in using a legacy
username and password, or additional authenticator, or other means acceptable to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-108">Relying Party</a>.</p>
    <li data-md="">
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-109">Relying Party</a> script runs the code snippet below.</p>
    <li data-md="">
     <p>The client platform searches for and locates the authenticator.</p>
    <li data-md="">
     <p>The client platform connects to the authenticator, performing any pairing actions if necessary.</p>
    <li data-md="">
     <p>The authenticator shows appropriate UI for the user to select the authenticator on which the new credential will be
created, and obtains a biometric or other authorization gesture from the user.</p>
    <li data-md="">
     <p>The authenticator returns a response to the client platform, which in turn returns a response to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-110">Relying Party</a> script. If
the user declined to select an authenticator or provide authorization, an appropriate error is returned.</p>
    <li data-md="">
     <p>If a new credential was created,</p>
     <ul>
      <li data-md="">
       <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-111">Relying Party</a> script sends the newly generated <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key-5">credential public key</a> to the server, along with additional information
such as attestation regarding the provenance and characteristics of the authenticator.</p>
      <li data-md="">
       <p>The server stores the <a data-link-type="dfn" href="#credential-public-key" id="ref-for-credential-public-key-6">credential public key</a> in its database and associates it with the user as well as with the
characteristics of authentication indicated by attestation, also storing a friendly name for later use.</p>
      <li data-md="">
       <p>The script may store data such as the credential ID in local storage, to improve future UX by narrowing the choice of
credential for the user.</p>
     </ul>
   </ol>
   <p>The sample code for generating and registering a new key follows:</p>
<pre class="example highlight" id="example-4576f5fd"><a class="self-link" href="#example-4576f5fd"></a><span class="k">if</span> <span class="p">(</span><span class="o">!</span>PublicKeyCredential<span class="p">)</span> <span class="p">{</span> <span class="cm">/* Platform not capable. Handle error. */</span> <span class="p">}</span>

<span class="kd">var</span> publicKey <span class="o">=</span> <span class="p">{</span>
  challenge<span class="o">:</span> Uint8Array<span class="p">.</span>from<span class="p">(</span>window<span class="p">.</span>atob<span class="p">(</span><span class="s2">"PGifxAoBwCkWkm4b1CiIl5otCphiIh6MijdjbWFjomA="</span><span class="p">)</span><span class="p">,</span> c<span class="p">=></span>c<span class="p">.</span>charCodeAt<span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="p">)</span><span class="p">,</span>

  <span class="c1">// Relying Party:
</span>  rp<span class="o">:</span> <span class="p">{</span>
    name<span class="o">:</span> <span class="s2">"Acme"</span>
  <span class="p">}</span><span class="p">,</span>

  <span class="c1">// User:
</span>  user<span class="o">:</span> <span class="p">{</span>
    id<span class="o">:</span> <span class="s2">"1098237235409872"</span>
    name<span class="o">:</span> <span class="s2">"john.p.smith@example.com"</span><span class="p">,</span>
    displayName<span class="o">:</span> <span class="s2">"John P. Smith"</span><span class="p">,</span>
    icon<span class="o">:</span> <span class="s2">"https://pics.acme.com/00/p/aBjjjpqPb.png"</span>
  <span class="p">}</span><span class="p">,</span>

  <span class="c1">// This Relying Party will accept either an ES256 or RS256 credential, but
</span>  <span class="c1">// prefers an ES256 credential.
</span>  parameters<span class="o">:</span> <span class="p">[</span>
    <span class="p">{</span>
      type<span class="o">:</span> <span class="s2">"public-key"</span><span class="p">,</span>
      algorithm<span class="o">:</span> <span class="s2">"ES256"</span><span class="p">,</span>
    <span class="p">}</span><span class="p">,</span>
    <span class="p">{</span>
      type<span class="o">:</span> <span class="s2">"public-key"</span><span class="p">,</span>
      algorithm<span class="o">:</span> <span class="s2">"RS256"</span><span class="p">,</span>
    <span class="p">}</span><span class="p">,</span>
  <span class="p">]</span><span class="p">,</span>

  timeout<span class="o">:</span> <span class="mi">60000</span><span class="p">,</span>  <span class="c1">// 1 minute
</span>  excludeList<span class="o">:</span> <span class="p">[</span><span class="p">]</span><span class="p">,</span> <span class="c1">// No excludeList
</span>  extensions<span class="o">:</span> <span class="p">{</span><span class="s2">"webauthn.location"</span><span class="o">:</span> <span class="kc">true</span><span class="p">}</span>  <span class="c1">// Include location information
</span>                                           <span class="c1">// in attestation
</span><span class="p">}</span><span class="p">;</span>

<span class="c1">// Note: The following call will cause the authenticator to display UI.
</span>navigator<span class="p">.</span>credentials<span class="p">.</span>create<span class="p">(</span><span class="p">{</span> publicKey <span class="p">}</span><span class="p">)</span>
  <span class="p">.</span>then<span class="p">(</span><span class="kd">function</span> <span class="p">(</span>newCredentialInfo<span class="p">)</span> <span class="p">{</span>
    <span class="c1">// Send new credential info to server for verification and registration.
</span>  <span class="p">}</span><span class="p">)</span><span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="kd">function</span> <span class="p">(</span>err<span class="p">)</span> <span class="p">{</span>
    <span class="c1">// No acceptable authenticator or user refused consent. Handle appropriately.
</span>  <span class="p">}</span><span class="p">)</span><span class="p">;</span>
</pre>
   <h3 class="heading settled" data-level="11.2" id="sample-authentication"><span class="secno">11.2. </span><span class="content">Authentication</span><a class="self-link" href="#sample-authentication"></a></h3>
   <p>This is the flow when a user with an already registered credential visits a website and wants to authenticate using the
credential.</p>
   <ol>
    <li data-md="">
     <p>The user visits example.com, which serves up a script.</p>
    <li data-md="">
     <p>The script asks the client platform for an Authentication Assertion, providing as much information as possible to narrow
the choice of acceptable credentials for the user. This may be obtained from the data that was stored locally after
registration, or by other means such as prompting the user for a username.</p>
    <li data-md="">
     <p>The <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-112">Relying Party</a> script runs one of the code snippets below.</p>
    <li data-md="">
     <p>The client platform searches for and locates the authenticator.</p>
    <li data-md="">
     <p>The client platform connects to the authenticator, performing any pairing actions if necessary.</p>
    <li data-md="">
     <p>The authenticator presents the user with a notification that their attention is required. On opening the
notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided
when creating the credentials, along with some information on the <a data-link-type="dfn" href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a> that is requesting these keys.</p>
    <li data-md="">
     <p>The authenticator obtains a biometric or other authorization gesture from the user.</p>
    <li data-md="">
     <p>The authenticator returns a response to the client platform, which in turn returns a response to the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-113">Relying Party</a> script.
If the user declined to select a credential or provide an authorization, an appropriate error is returned.</p>
    <li data-md="">
     <p>If an assertion was successfully generated and returned,</p>
     <ul>
      <li data-md="">
       <p>The script sends the assertion to the server.</p>
      <li data-md="">
       <p>The server examines the assertion, extracts the credential ID, looks up the registered
credential public key it is database, and verifies the assertion’s authentication signature.
If valid, it looks up the identity associated with the assertion’s credential ID; that
identity is now authenticated. If the credential ID is not recognized by the server (e.g.,
it has been deregistered due to inactivity) then the authentication has failed; each <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-114">Relying Party</a> will handle this in its own way.</p>
      <li data-md="">
       <p>The server now does whatever it would otherwise do upon successful authentication -- return a success page, set
authentication cookies, etc.</p>
     </ul>
   </ol>
   <p>If the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-115">Relying Party</a> script does not have any hints available (e.g., from locally stored data) to help it narrow the list of credentials,
then the sample code for performing such an authentication might look like this:</p>
<pre class="example highlight" id="example-062d7981"><a class="self-link" href="#example-062d7981"></a><span class="k">if</span> <span class="p">(</span><span class="o">!</span>PublicKeyCredential<span class="p">)</span> <span class="p">{</span> <span class="cm">/* Platform not capable. Handle error. */</span> <span class="p">}</span>

<span class="kd">var</span> options <span class="o">=</span> <span class="p">{</span>
                challenge<span class="o">:</span> <span class="k">new</span> TextEncoder<span class="p">(</span><span class="p">)</span><span class="p">.</span>encode<span class="p">(</span><span class="s2">"climb a mountain"</span><span class="p">)</span><span class="p">,</span>
                timeout<span class="o">:</span> <span class="mi">60000</span><span class="p">,</span>  <span class="c1">// 1 minute
</span>                allowList<span class="o">:</span> <span class="p">[</span><span class="p">{</span> type<span class="o">:</span> <span class="s2">"public-key"</span> <span class="p">}</span><span class="p">]</span>
              <span class="p">}</span><span class="p">;</span>

navigator<span class="p">.</span>credentials<span class="p">.</span>get<span class="p">(</span><span class="p">{</span> <span class="s2">"publicKey"</span><span class="o">:</span> options <span class="p">}</span><span class="p">)</span>
    <span class="p">.</span>then<span class="p">(</span><span class="kd">function</span> <span class="p">(</span>assertion<span class="p">)</span> <span class="p">{</span>
    <span class="c1">// Send assertion to server for verification
</span><span class="p">}</span><span class="p">)</span><span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="kd">function</span> <span class="p">(</span>err<span class="p">)</span> <span class="p">{</span>
    <span class="c1">// No acceptable credential or user refused consent. Handle appropriately.
</span><span class="p">}</span><span class="p">)</span><span class="p">;</span>
</pre>
   <p>On the other hand, if the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-116">Relying Party</a> script has some hints to help it narrow the list of credentials, then the sample code for
performing such an authentication might look like the following. Note that this sample also demonstrates how to use the
extension for transaction authorization.</p>
<pre class="example highlight" id="example-03df3135"><a class="self-link" href="#example-03df3135"></a><span class="k">if</span> <span class="p">(</span><span class="o">!</span>PublicKeyCredential<span class="p">)</span> <span class="p">{</span> <span class="cm">/* Platform not capable. Handle error. */</span> <span class="p">}</span>

<span class="kd">var</span> encoder <span class="o">=</span> <span class="k">new</span> TextEncoder<span class="p">(</span><span class="p">)</span><span class="p">;</span>
<span class="kd">var</span> acceptableCredential1 <span class="o">=</span> <span class="p">{</span>
    type<span class="o">:</span> <span class="s2">"public-key"</span><span class="p">,</span>
    id<span class="o">:</span> encoder<span class="p">.</span>encode<span class="p">(</span><span class="s2">"!!!!!!!hi there!!!!!!!\n"</span><span class="p">)</span>
<span class="p">}</span><span class="p">;</span>
<span class="kd">var</span> acceptableCredential2 <span class="o">=</span> <span class="p">{</span>
    type<span class="o">:</span> <span class="s2">"public-key"</span><span class="p">,</span>
    id<span class="o">:</span> encoder<span class="p">.</span>encode<span class="p">(</span><span class="s2">"roses are red, violets are blue\n"</span><span class="p">)</span>
<span class="p">}</span><span class="p">;</span>

<span class="kd">var</span> options <span class="o">=</span> <span class="p">{</span>
                challenge<span class="o">:</span> encoder<span class="p">.</span>encode<span class="p">(</span><span class="s2">"climb a mountain"</span><span class="p">)</span><span class="p">,</span>
                timeout<span class="o">:</span> <span class="mi">60000</span><span class="p">,</span>  <span class="c1">// 1 minute
</span>                allowList<span class="o">:</span> <span class="p">[</span>acceptableCredential1<span class="p">,</span> acceptableCredential2<span class="p">]</span><span class="p">;</span>
                extensions<span class="o">:</span> <span class="p">{</span> <span class="s1">'webauthn.txauth.simple'</span><span class="o">:</span>
                   <span class="s2">"Wave your hands in the air like you just don’t care"</span> <span class="p">}</span><span class="p">;</span>
              <span class="p">}</span><span class="p">;</span>

navigator<span class="p">.</span>credentials<span class="p">.</span>get<span class="p">(</span><span class="p">{</span> <span class="s2">"publicKey"</span><span class="o">:</span> options <span class="p">}</span><span class="p">)</span>
    <span class="p">.</span>then<span class="p">(</span><span class="kd">function</span> <span class="p">(</span>assertion<span class="p">)</span> <span class="p">{</span>
    <span class="c1">// Send assertion to server for verification
</span><span class="p">}</span><span class="p">)</span><span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="kd">function</span> <span class="p">(</span>err<span class="p">)</span> <span class="p">{</span>
    <span class="c1">// No acceptable credential or user refused consent. Handle appropriately.
</span><span class="p">}</span><span class="p">)</span><span class="p">;</span>
</pre>
   <h3 class="heading settled" data-level="11.3" id="sample-decommissioning"><span class="secno">11.3. </span><span class="content">Decommissioning</span><a class="self-link" href="#sample-decommissioning"></a></h3>
   <p>The following are possible situations in which decommissioning a credential might be desired. Note that all of these are
handled on the server side and do not need support from the API specified here.</p>
   <ul>
    <li data-md="">
     <p>Possibility #1 -- user reports the credential as lost.</p>
     <ul>
      <li data-md="">
       <p>User goes to server.example.net, authenticates and follows a link to report a lost/stolen device.</p>
      <li data-md="">
       <p>Server returns a page showing the list of registered credentials with friendly names as configured during registration.</p>
      <li data-md="">
       <p>User selects a credential and the server deletes it from its database.</p>
      <li data-md="">
       <p>In future, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-117">Relying Party</a> script does not specify this credential in any list of acceptable credentials, and assertions
signed by this credential are rejected.</p>
     </ul>
    <li data-md="">
     <p>Possibility #2 -- server deregisters the credential due to inactivity.</p>
     <ul>
      <li data-md="">
       <p>Server deletes credential from its database during maintenance activity.</p>
      <li data-md="">
       <p>In the future, the <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party-118">Relying Party</a> script does not specify this credential in any list of acceptable credentials, and assertions
signed by this credential are rejected.</p>
     </ul>
    <li data-md="">
     <p>Possibility #3 -- user deletes the credential from the device.</p>
     <ul>
      <li data-md="">
       <p>User employs a device-specific method (e.g., device settings UI) to delete a credential from their device.</p>
      <li data-md="">
       <p>From this point on, this credential will not appear in any selection prompts, and no assertions can be generated with it.</p>
      <li data-md="">
       <p>Sometime later, the server deregisters this credential due to inactivity.</p>
     </ul>
   </ul>
   <h2 class="heading settled" data-level="12" id="acknowledgements"><span class="secno">12. </span><span class="content">Acknowledgements</span><a class="self-link" href="#acknowledgements"></a></h2>
    We thank the following for their contributions to, and thorough review of, this specification: Richard Barnes, Dominic Battré,
Domenic Denicola, Rahul Ghosh, Brad Hill, Jing Jin, Angelo Liao, Anne van Kesteren, Ian Kilpatrick, Giridhar Mandyam,
Axel Nennker, Kimberly Paulhamus, Adam Powers, Yaron Sheffer, Mike West, Jeffrey Yasskin, Boris Zbarsky. 
  </main>
<script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script>
  <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="index">
   <li><a href="#typedefdef-aaguid">AAGUID</a><span>, in §9.4</span>
   <li><a href="#dom-publickeycredentialparameters-algorithm">algorithm</a><span>, in §4.3</span>
   <li><a href="#dom-publickeycredentialrequestoptions-allowlist">allowList</a><span>, in §4.6</span>
   <li><a href="#assertion">Assertion</a><span>, in §3</span>
   <li><a href="#assertion-signature">assertion signature</a><span>, in §5</span>
   <li><a href="#enumdef-attachment">Attachment</a><span>, in §4.5.3</span>
   <li><a href="#dom-authenticatorselectioncriteria-attachment">attachment</a><span>, in §4.5.2</span>
   <li><a href="#attachment-modality">attachment modality</a><span>, in §4.5.3</span>
   <li><a href="#attestation">Attestation</a><span>, in §3</span>
   <li><a href="#attestation-certificate">Attestation Certificate</a><span>, in §3</span>
   <li><a href="#attestation-data">Attestation data</a><span>, in §5.3.1</span>
   <li><a href="#attestation-information">Attestation information</a><span>, in §3</span>
   <li><a href="#attestation-key-pair">attestation key pair</a><span>, in §3</span>
   <li><a href="#dom-authenticatorattestationresponse-attestationobject">attestationObject</a><span>, in §4.2.1</span>
   <li><a href="#attestation-objects">attestation objects</a><span>, in §3</span>
   <li><a href="#attestation-private-key">attestation private key</a><span>, in §3</span>
   <li><a href="#attestation-public-key">attestation public key</a><span>, in §3</span>
   <li><a href="#attestation-signature">attestation signature</a><span>, in §5</span>
   <li><a href="#attestation-statement-format">attestation statement format</a><span>, in §5.3</span>
   <li><a href="#attestation-statement-format-identifier">attestation statement format identifier</a><span>, in §7.1</span>
   <li><a href="#attestation-type">attestation type</a><span>, in §5.3</span>
   <li><a href="#authentication">Authentication</a><span>, in §3</span>
   <li><a href="#authentication-assertion">Authentication Assertion</a><span>, in §3</span>
   <li><a href="#authentication-extension">authentication extension</a><span>, in §8</span>
   <li>
    AuthenticationExtensions
    <ul>
     <li><a href="#authenticationextensions">definition of</a><span>, in §4.7</span>
     <li><a href="#typedefdef-authenticationextensions">(typedef)</a><span>, in §4.7</span>
    </ul>
   <li><a href="#authenticator">Authenticator</a><span>, in §3</span>
   <li><a href="#authenticatorassertionresponse">AuthenticatorAssertionResponse</a><span>, in §4.2.2</span>
   <li><a href="#authenticatorattestationresponse">AuthenticatorAttestationResponse</a><span>, in §4.2.1</span>
   <li><a href="#authenticatorcancel">authenticatorCancel</a><span>, in §5.2.3</span>
   <li><a href="#authenticator-data">authenticator data</a><span>, in §5.1</span>
   <li><a href="#dom-authenticatorassertionresponse-authenticatordata">authenticatorData</a><span>, in §4.2.2</span>
   <li><a href="#authenticator-data-claimed-to-have-been-used-for-the-attestation">authenticator data claimed to have been used for the attestation</a><span>, in §5.3.2</span>
   <li><a href="#authenticator-data-for-the-attestation">authenticator data for the attestation</a><span>, in §5.3.2</span>
   <li><a href="#authenticator-extension">authenticator extension</a><span>, in §8</span>
   <li><a href="#authenticator-extension-input">authenticator extension input</a><span>, in §8.3</span>
   <li><a href="#authenticator-extension-output">authenticator extension output</a><span>, in §8.5</span>
   <li><a href="#authenticator-extension-processing">Authenticator extension processing</a><span>, in §8.5</span>
   <li><a href="#dom-collectedclientdata-authenticatorextensions">authenticatorExtensions</a><span>, in §4.8.1</span>
   <li><a href="#authenticatorgetassertion">authenticatorGetAssertion</a><span>, in §5.2.2</span>
   <li><a href="#authenticatormakecredential">authenticatorMakeCredential</a><span>, in §5.2.1</span>
   <li><a href="#authenticatorresponse">AuthenticatorResponse</a><span>, in §4.2</span>
   <li><a href="#dom-makecredentialoptions-authenticatorselection">authenticatorSelection</a><span>, in §4.5</span>
   <li><a href="#dictdef-authenticatorselectioncriteria">AuthenticatorSelectionCriteria</a><span>, in §4.5.2</span>
   <li><a href="#typedefdef-authenticatorselectionlist">AuthenticatorSelectionList</a><span>, in §9.4</span>
   <li><a href="#authorization-gesture">Authorization Gesture</a><span>, in §3</span>
   <li><a href="#base64url-encoding">Base64url Encoding</a><span>, in §2.1</span>
   <li><a href="#basic-attestation">Basic Attestation</a><span>, in §5.3.3</span>
   <li><a href="#biometric-recognition">Biometric Recognition</a><span>, in §3</span>
   <li><a href="#dom-transport-ble">ble</a><span>, in §4.8.4</span>
   <li><a href="#cbor">CBOR</a><span>, in §2.1</span>
   <li><a href="#ceremony">Ceremony</a><span>, in §3</span>
   <li>
    challenge
    <ul>
     <li><a href="#dom-makecredentialoptions-challenge">dict-member for MakeCredentialOptions</a><span>, in §4.5</span>
     <li><a href="#dom-publickeycredentialrequestoptions-challenge">dict-member for PublicKeyCredentialRequestOptions</a><span>, in §4.6</span>
     <li><a href="#dom-collectedclientdata-challenge">dict-member for CollectedClientData</a><span>, in §4.8.1</span>
    </ul>
   <li><a href="#client">Client</a><span>, in §3</span>
   <li><a href="#client-data">client data</a><span>, in §4.8.1</span>
   <li><a href="#dom-authenticatorresponse-clientdatajson">clientDataJSON</a><span>, in §4.2</span>
   <li><a href="#client-extension">client extension</a><span>, in §8</span>
   <li><a href="#client-extension-input">client extension input</a><span>, in §8.3</span>
   <li><a href="#client-extension-output">client extension output</a><span>, in §8.4</span>
   <li><a href="#client-extension-processing">Client extension processing</a><span>, in §8.4</span>
   <li><a href="#dom-publickeycredential-clientextensionresults">clientExtensionResults</a><span>, in §4.1</span>
   <li><a href="#dom-collectedclientdata-clientextensions">clientExtensions</a><span>, in §4.8.1</span>
   <li><a href="#client-side">Client-Side</a><span>, in §3</span>
   <li><a href="#client-side-credential-private-key-storage">client-side credential private key storage</a><span>, in §3</span>
   <li><a href="#client-side-resident-credential-private-key">Client-side-resident Credential Private Key</a><span>, in §3</span>
   <li><a href="#dictdef-collectedclientdata">CollectedClientData</a><span>, in §4.8.1</span>
   <li><a href="#conforming-user-agent">Conforming User Agent</a><span>, in §3</span>
   <li><a href="#dom-publickeycredential-create-slot">[[Create]](options)</a><span>, in §4.1.3</span>
   <li><a href="#credential-key-pair">credential key pair</a><span>, in §3</span>
   <li><a href="#credential-private-key">credential private key</a><span>, in §3</span>
   <li><a href="#credential-public-key">Credential Public Key</a><span>, in §3</span>
   <li><a href="#dictdef-credentialrequestoptions">CredentialRequestOptions</a><span>, in §4.1.1</span>
   <li><a href="#dom-attachment-cross-platform">cross-platform</a><span>, in §4.5.3</span>
   <li><a href="#dom-attachment-cross-platform">"cross-platform"</a><span>, in §4.5.3</span>
   <li><a href="#cross-platform-attached">cross-platform attached</a><span>, in §4.5.3</span>
   <li><a href="#cross-platform-attached">cross-platform attachment</a><span>, in §4.5.3</span>
   <li><a href="#daa">DAA</a><span>, in §5.3.3</span>
   <li><a href="#dom-publickeycredential-discoverfromexternalsource-slot">[[DiscoverFromExternalSource]](options)</a><span>, in §4.1.4</span>
   <li><a href="#dom-publickeycredential-discovery-slot">[[discovery]]</a><span>, in §4.1</span>
   <li><a href="#dom-publickeycredentialuserentity-displayname">displayName</a><span>, in §4.4</span>
   <li><a href="#ecdaa">ECDAA</a><span>, in §5.3.3</span>
   <li><a href="#ecdaa-issuer-public-key">ECDAA-Issuer public key</a><span>, in §7.2</span>
   <li><a href="#elliptic-curve-based-direct-anonymous-attestation">Elliptic Curve based Direct Anonymous Attestation</a><span>, in §5.3.3</span>
   <li><a href="#dom-makecredentialoptions-excludelist">excludeList</a><span>, in §4.5</span>
   <li><a href="#extension-identifier">extension identifier</a><span>, in §8.1</span>
   <li>
    extensions
    <ul>
     <li><a href="#dom-makecredentialoptions-extensions">dict-member for MakeCredentialOptions</a><span>, in §4.5</span>
     <li><a href="#dom-publickeycredentialrequestoptions-extensions">dict-member for PublicKeyCredentialRequestOptions</a><span>, in §4.6</span>
    </ul>
   <li><a href="#enumdef-externaltransport">ExternalTransport</a><span>, in §4.8.4</span>
   <li><a href="#dom-collectedclientdata-hashalg">hashAlg</a><span>, in §4.8.1</span>
   <li><a href="#collectedclientdata-hash-of-the-serialized-client-data">Hash of the serialized client data</a><span>, in §4.8.1</span>
   <li><a href="#dom-publickeycredentialentity-icon">icon</a><span>, in §4.5.1</span>
   <li>
    id
    <ul>
     <li><a href="#dom-publickeycredentialentity-id">dict-member for PublicKeyCredentialEntity</a><span>, in §4.5.1</span>
     <li><a href="#dom-publickeycredentialdescriptor-id">dict-member for PublicKeyCredentialDescriptor</a><span>, in §4.8.3</span>
    </ul>
   <li><a href="#dom-publickeycredential-identifier-slot">[[identifier]]</a><span>, in §4.1</span>
   <li><a href="#identifier-of-the-ecdaa-issuer-public-key">identifier of the ECDAA-Issuer public key</a><span>, in §7.2</span>
   <li><a href="#collectedclientdata-json-serialized-client-data">JSON-serialized client data</a><span>, in §4.8.1</span>
   <li><a href="#dictdef-makecredentialoptions">MakeCredentialOptions</a><span>, in §4.5</span>
   <li><a href="#dom-publickeycredentialentity-name">name</a><span>, in §4.5.1</span>
   <li><a href="#dom-transport-nfc">nfc</a><span>, in §4.8.4</span>
   <li><a href="#dom-collectedclientdata-origin">origin</a><span>, in §4.8.1</span>
   <li><a href="#dom-makecredentialoptions-parameters">parameters</a><span>, in §4.5</span>
   <li><a href="#dom-attachment-platform">platform</a><span>, in §4.5.3</span>
   <li><a href="#dom-attachment-platform">"platform"</a><span>, in §4.5.3</span>
   <li><a href="#platform-attachment">platform attachment</a><span>, in §4.5.3</span>
   <li><a href="#platform-authenticators">platform authenticators</a><span>, in §4.5.3</span>
   <li><a href="#privacy-ca">Privacy CA</a><span>, in §5.3.3</span>
   <li>
    publicKey
    <ul>
     <li><a href="#dom-credentialrequestoptions-publickey">dict-member for CredentialRequestOptions</a><span>, in §4.1.1</span>
     <li><a href="#dom-credentialcreationoptions-publickey">dict-member for CredentialCreationOptions</a><span>, in §4.1.2</span>
    </ul>
   <li><a href="#dom-publickeycredentialtype-public-key">public-key</a><span>, in §4.8.2</span>
   <li><a href="#public-key-credential">Public Key Credential</a><span>, in §3</span>
   <li><a href="#publickeycredential">PublicKeyCredential</a><span>, in §4.1</span>
   <li><a href="#dictdef-publickeycredentialdescriptor">PublicKeyCredentialDescriptor</a><span>, in §4.8.3</span>
   <li><a href="#dictdef-publickeycredentialentity">PublicKeyCredentialEntity</a><span>, in §4.5.1</span>
   <li><a href="#dictdef-publickeycredentialparameters">PublicKeyCredentialParameters</a><span>, in §4.3</span>
   <li><a href="#dictdef-publickeycredentialrequestoptions">PublicKeyCredentialRequestOptions</a><span>, in §4.6</span>
   <li><a href="#enumdef-publickeycredentialtype">PublicKeyCredentialType</a><span>, in §4.8.2</span>
   <li><a href="#dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</a><span>, in §4.4</span>
   <li><a href="#dom-publickeycredential-rawid">rawId</a><span>, in §4.1</span>
   <li><a href="#registration">Registration</a><span>, in §3</span>
   <li><a href="#registration-extension">registration extension</a><span>, in §8</span>
   <li><a href="#relying-party">Relying Party</a><span>, in §3</span>
   <li><a href="#relying-party-identifier">Relying Party Identifier</a><span>, in §3</span>
   <li><a href="#dom-authenticatorselectioncriteria-requireresidentkey">requireResidentKey</a><span>, in §4.5.2</span>
   <li><a href="#dom-publickeycredential-response">response</a><span>, in §4.1</span>
   <li><a href="#roaming-authenticators">roaming authenticators</a><span>, in §4.5.3</span>
   <li><a href="#dom-makecredentialoptions-rp">rp</a><span>, in §4.5</span>
   <li><a href="#dom-publickeycredentialrequestoptions-rpid">rpId</a><span>, in §4.6</span>
   <li><a href="#rp-id">RP ID</a><span>, in §3</span>
   <li><a href="#self-attestation">Self Attestation</a><span>, in §5.3.3</span>
   <li><a href="#dom-authenticatorassertionresponse-signature">signature</a><span>, in §4.2.2</span>
   <li><a href="#test-of-user-presence">Test of User Presence</a><span>, in §3</span>
   <li>
    timeout
    <ul>
     <li><a href="#dom-makecredentialoptions-timeout">dict-member for MakeCredentialOptions</a><span>, in §4.5</span>
     <li><a href="#dom-publickeycredentialrequestoptions-timeout">dict-member for PublicKeyCredentialRequestOptions</a><span>, in §4.6</span>
    </ul>
   <li><a href="#dom-collectedclientdata-tokenbinding">tokenBinding</a><span>, in §4.8.1</span>
   <li><a href="#enumdef-transport">Transport</a><span>, in §4.8.4</span>
   <li><a href="#dom-publickeycredentialdescriptor-transports">transports</a><span>, in §4.8.3</span>
   <li><a href="#tup">TUP</a><span>, in §3</span>
   <li><a href="#dom-publickeycredential-type-slot">[[type]]</a><span>, in §4.1</span>
   <li>
    type
    <ul>
     <li><a href="#dom-publickeycredentialparameters-type">dict-member for PublicKeyCredentialParameters</a><span>, in §4.3</span>
     <li><a href="#dom-publickeycredentialdescriptor-type">dict-member for PublicKeyCredentialDescriptor</a><span>, in §4.8.3</span>
    </ul>
   <li><a href="#dom-transport-usb">usb</a><span>, in §4.8.4</span>
   <li><a href="#dom-makecredentialoptions-user">user</a><span>, in §4.5</span>
   <li><a href="#user-consent">User Consent</a><span>, in §3</span>
   <li><a href="#user-verification">User Verification</a><span>, in §3</span>
   <li><a href="#concept-user-verified">User Verified</a><span>, in §3</span>
   <li><a href="#web-authentication-api">Web Authentication API</a><span>, in §4</span>
   <li><a href="#webauthn-client">WebAuthn Client</a><span>, in §3</span>
  </ul>
  <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="index">
   <li>
    <a data-link-type="biblio">[CREDENTIAL-MANAGEMENT-1]</a> defines the following terms:
    <ul>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions">CredentialCreationOptions</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create">create()</a>
    </ul>
   <li>
    <a data-link-type="biblio">[ECMAScript]</a> defines the following terms:
    <ul>
     <li><a href="https://tc39.github.io/ecma262/#sec-arraybuffer-constructor">%arraybuffer%</a>
     <li><a href="https://tc39.github.io/ecma262/#sec-object-internal-methods-and-internal-slots">internal slot</a>
     <li><a href="https://tc39.github.io/ecma262/#sec-json.stringify">stringify</a>
    </ul>
   <li>
    <a data-link-type="biblio">[ENCODING]</a> defines the following terms:
    <ul>
     <li><a href="https://encoding.spec.whatwg.org/#utf-8-encode">utf-8 encode</a>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML]</a> defines the following terms:
    <ul>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin">ascii serialization of an origin</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#dom-manipulation-task-source">dom manipulation task source</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-effective-domain">effective domain</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global">global object</a>
     <li><a href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to">is a registrable domain suffix of or is equal to</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to">is not a registrable domain suffix of and is not equal to</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">relevant settings object</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-task">task</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#task-source">task source</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#unicode-serialisation-of-an-origin">unicode serialization of an origin</a>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML52]</a> defines the following terms:
    <ul>
     <li><a href="https://w3c.github.io/html/browsers.html#opaque-origin">opaque origin</a>
     <li><a href="https://w3c.github.io/html/browsers.html#concept-cross-origin">origin</a>
    </ul>
   <li>
    <a data-link-type="biblio">[INFRA]</a> defines the following terms:
    <ul>
     <li><a href="https://infra.spec.whatwg.org/#list-append">append <small>(for list)</small></a>
     <li><a href="https://infra.spec.whatwg.org/#set-append">append <small>(for set)</small></a>
     <li><a href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>
     <li><a href="https://infra.spec.whatwg.org/#list-iterate">for each <small>(for list)</small></a>
     <li><a href="https://infra.spec.whatwg.org/#map-iterate">for each <small>(for map)</small></a>
     <li><a href="https://infra.spec.whatwg.org/#list-is-empty">is empty</a>
     <li><a href="https://infra.spec.whatwg.org/#list-is-empty">is not empty</a>
     <li><a href="https://infra.spec.whatwg.org/#list-item">item</a>
     <li><a href="https://infra.spec.whatwg.org/#list">list</a>
     <li><a href="https://infra.spec.whatwg.org/#ordered-map">map</a>
     <li><a href="https://infra.spec.whatwg.org/#ordered-set">ordered set</a>
     <li><a href="https://infra.spec.whatwg.org/#list-remove">remove</a>
     <li><a href="https://infra.spec.whatwg.org/#map-set">set</a>
    </ul>
   <li>
    <a data-link-type="biblio">[secure-contexts]</a> defines the following terms:
    <ul>
     <li><a href="https://w3c.github.io/webappsec-secure-contexts/#secure-context">secure context</a>
    </ul>
   <li>
    <a data-link-type="biblio">[TokenBinding]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol#token-binding">token binding</a>
     <li><a href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol#section-3.2">token binding id</a>
    </ul>
   <li>
    <a data-link-type="biblio">[URL]</a> defines the following terms:
    <ul>
     <li><a href="https://url.spec.whatwg.org/#concept-url-serializer">url serializer</a>
    </ul>
   <li>
    <a data-link-type="biblio">[webappsec-credential-management-1]</a> defines the following terms:
    <ul>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#credential">Credential</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#credentialscontainer">CredentialsContainer</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-collectfromcredentialstore-slot">[[CollectFromCredentialStore]](options)</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-store-slot">[[Store]](credential)</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-slot">[[discovery]]</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type-slot">[[type]]</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-get">get()</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-id">id</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-discovery-remote">remote</a>
     <li><a href="https://w3c.github.io/webappsec-credential-management/#dom-credential-type">type</a>
    </ul>
   <li>
    <a data-link-type="biblio">[WebCryptoAPI]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/WebCryptoAPI/#dfn-AlgorithmIdentifierS">AlgorithmIdentifier</a>
     <li><a href="https://www.w3.org/TR/WebCryptoAPI/#dfn-normalize-an-algorithm">normalizing an algorithm</a>
     <li><a href="https://www.w3.org/TR/WebCryptoAPI/#recognized-algorithm-name">recognized algorithm name</a>
    </ul>
   <li>
    <a data-link-type="biblio">[WebIDL]</a> defines the following terms:
    <ul>
     <li><a href="https://heycam.github.io/webidl/#idl-ArrayBuffer">ArrayBuffer</a>
     <li><a href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a>
     <li><a href="https://heycam.github.io/webidl/#constrainterror">ConstraintError</a>
     <li><a href="https://heycam.github.io/webidl/#idl-DOMException">DOMException</a>
     <li><a href="https://heycam.github.io/webidl/#idl-DOMString">DOMString</a>
     <li><a href="https://heycam.github.io/webidl/#notallowederror">NotAllowedError</a>
     <li><a href="https://heycam.github.io/webidl/#notfounderror">NotFoundError</a>
     <li><a href="https://heycam.github.io/webidl/#notsupportederror">NotSupportedError</a>
     <li><a href="https://heycam.github.io/webidl/#idl-promise">Promise</a>
     <li><a href="https://heycam.github.io/webidl/#SecureContext">SecureContext</a>
     <li><a href="https://heycam.github.io/webidl/#securityerror">SecurityError</a>
     <li><a href="https://heycam.github.io/webidl/#exceptiondef-typeerror">TypeError</a>
     <li><a href="https://heycam.github.io/webidl/#idl-USVString">USVString</a>
     <li><a href="https://heycam.github.io/webidl/#idl-boolean">boolean</a>
     <li><a href="https://heycam.github.io/webidl/#dfn-dictionary">dictionary</a>
     <li><a href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a>
     <li><a href="https://heycam.github.io/webidl/#dfn-present">present</a>
     <li><a href="https://heycam.github.io/webidl/#dfn-simple-exception">simple exception</a>
     <li><a href="https://heycam.github.io/webidl/#idl-unsigned-long">unsigned long</a>
    </ul>
  </ul>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-cddl">[CDDL]
   <dd>C. Vigano; H. Birkholz. <a href="https://tools.ietf.org/html/draft-greevenbosch-appsawg-cbor-cddl">CBOR data definition language (CDDL): a notational convention to express CBOR data structures</a>. 21 September 2016. Internet Draft (work in progress). URL: <a href="https://tools.ietf.org/html/draft-greevenbosch-appsawg-cbor-cddl">https://tools.ietf.org/html/draft-greevenbosch-appsawg-cbor-cddl</a>
   <dt id="biblio-credential-management-1">[CREDENTIAL-MANAGEMENT-1]
   <dd>Mike West. <a href="https://www.w3.org/TR/credential-management-1/">Credential Management Level 1</a>. URL: <a href="https://www.w3.org/TR/credential-management-1/">https://www.w3.org/TR/credential-management-1/</a>
   <dt id="biblio-dom4">[DOM4]
   <dd>Anne van Kesteren. <a href="https://dom.spec.whatwg.org/">DOM Standard</a>. Living Standard. URL: <a href="https://dom.spec.whatwg.org/">https://dom.spec.whatwg.org/</a>
   <dt id="biblio-ecmascript">[ECMAScript]
   <dd><a href="https://tc39.github.io/ecma262/">ECMAScript Language Specification</a>. URL: <a href="https://tc39.github.io/ecma262/">https://tc39.github.io/ecma262/</a>
   <dt id="biblio-encoding">[ENCODING]
   <dd>Anne van Kesteren. <a href="https://encoding.spec.whatwg.org/">Encoding Standard</a>. Living Standard. URL: <a href="https://encoding.spec.whatwg.org/">https://encoding.spec.whatwg.org/</a>
   <dt id="biblio-fidoecdaaalgorithm">[FIDOEcdaaAlgorithm]
   <dd>R. Lindemann; et al. <a href="https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-ecdaa-algorithm-v1.1-id-20170202.html">FIDO ECDAA Algorithm</a>. FIDO Alliance Implementation Draft. URL: <a href="https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-ecdaa-algorithm-v1.1-id-20170202.html">https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-ecdaa-algorithm-v1.1-id-20170202.html</a>
   <dt id="biblio-fidoreg">[FIDOReg]
   <dd>R. Lindemann; D. Baghdasaryan; B. Hill. <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-reg-v1.0-ps-20141208.html">FIDO UAF Registry of Predefined Values</a>. FIDO Alliance Proposed Standard. URL: <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-reg-v1.0-ps-20141208.html">https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-reg-v1.0-ps-20141208.html</a>
   <dt id="biblio-html">[HTML]
   <dd>Anne van Kesteren; et al. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
   <dt id="biblio-html52">[HTML52]
   <dd>Steve Faulkner; et al. <a href="https://www.w3.org/TR/html52/">HTML 5.2</a>. URL: <a href="https://www.w3.org/TR/html52/">https://www.w3.org/TR/html52/</a>
   <dt id="biblio-infra">[INFRA]
   <dd>Anne van Kesteren; Domenic Denicola. <a href="https://infra.spec.whatwg.org/">Infra Standard</a>. Living Standard. URL: <a href="https://infra.spec.whatwg.org/">https://infra.spec.whatwg.org/</a>
   <dt id="biblio-rfc2119">[RFC2119]
   <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
   <dt id="biblio-rfc4648">[RFC4648]
   <dd>S. Josefsson. <a href="https://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a>. October 2006. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc4648">https://tools.ietf.org/html/rfc4648</a>
   <dt id="biblio-rfc5234">[RFC5234]
   <dd>D. Crocker, Ed.; P. Overell. <a href="https://tools.ietf.org/html/rfc5234">Augmented BNF for Syntax Specifications: ABNF</a>. January 2008. Internet Standard. URL: <a href="https://tools.ietf.org/html/rfc5234">https://tools.ietf.org/html/rfc5234</a>
   <dt id="biblio-rfc5890">[RFC5890]
   <dd>J. Klensin. <a href="https://tools.ietf.org/html/rfc5890">Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework</a>. August 2010. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc5890">https://tools.ietf.org/html/rfc5890</a>
   <dt id="biblio-rfc7049">[RFC7049]
   <dd>C. Bormann; P. Hoffman. <a href="https://tools.ietf.org/html/rfc7049">Concise Binary Object Representation (CBOR)</a>. October 2013. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7049">https://tools.ietf.org/html/rfc7049</a>
   <dt id="biblio-rfc7518">[RFC7518]
   <dd>M. Jones. <a href="https://tools.ietf.org/html/rfc7518">JSON Web Algorithms (JWA)</a>. May 2015. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7518">https://tools.ietf.org/html/rfc7518</a>
   <dt id="biblio-secure-contexts">[SECURE-CONTEXTS]
   <dd>Mike West. <a href="https://www.w3.org/TR/secure-contexts/">Secure Contexts</a>. URL: <a href="https://www.w3.org/TR/secure-contexts/">https://www.w3.org/TR/secure-contexts/</a>
   <dt id="biblio-tokenbinding">[TokenBinding]
   <dd>A. Popov; et al. <a href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol">The Token Binding Protocol Version 1.0</a>. February 16, 2017. Internet-Draft. URL: <a href="https://tools.ietf.org/html/draft-ietf-tokbind-protocol">https://tools.ietf.org/html/draft-ietf-tokbind-protocol</a>
   <dt id="biblio-url">[URL]
   <dd>Anne van Kesteren. <a href="https://url.spec.whatwg.org/">URL Standard</a>. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a>
   <dt id="biblio-webappsec-credential-management-1">[WEBAPPSEC-CREDENTIAL-MANAGEMENT-1]
   <dd>Credential Management Level 1 URL: <a href="https://w3c.github.io/webappsec-credential-management/">https://w3c.github.io/webappsec-credential-management/</a>
   <dt id="biblio-webauthn-registries">[WebAuthn-Registries]
   <dd>Jeff Hodges; Giridhar Mandyam; Michael B. Jones. <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/ascii&amp;url=https://raw.githubusercontent.com/w3c/webauthn/master/draft-hodges-webauthn-registries.xml">Registries for Web Authentication (WebAuthn)</a>. March 2017. Active Internet-Draft. URL: <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/ascii&amp;url=https://raw.githubusercontent.com/w3c/webauthn/master/draft-hodges-webauthn-registries.xml">https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/ascii&amp;url=https://raw.githubusercontent.com/w3c/webauthn/master/draft-hodges-webauthn-registries.xml</a>
   <dt id="biblio-webcryptoapi">[WebCryptoAPI]
   <dd>Mark Watson. <a href="https://www.w3.org/TR/WebCryptoAPI/">Web Cryptography API</a>. URL: <a href="https://www.w3.org/TR/WebCryptoAPI/">https://www.w3.org/TR/WebCryptoAPI/</a>
   <dt id="biblio-webidl">[WebIDL]
   <dd>Cameron McCormack; Boris Zbarsky; Tobie Langel. <a href="https://heycam.github.io/webidl/">Web IDL</a>. URL: <a href="https://heycam.github.io/webidl/">https://heycam.github.io/webidl/</a>
   <dt id="biblio-webidl-1">[WebIDL-1]
   <dd>Cameron McCormack. <a href="https://www.w3.org/TR/2016/REC-WebIDL-1-20161215/">WebIDL Level 1</a>. URL: <a href="https://www.w3.org/TR/2016/REC-WebIDL-1-20161215/">https://www.w3.org/TR/2016/REC-WebIDL-1-20161215/</a>
  </dl>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-ceremony">[Ceremony]
   <dd>Carl Ellison. <a href="https://eprint.iacr.org/2007/399.pdf">Ceremony Design and Analysis</a>. 2007. URL: <a href="https://eprint.iacr.org/2007/399.pdf">https://eprint.iacr.org/2007/399.pdf</a>
   <dt id="biblio-fido-appid">[FIDO-APPID]
   <dd>D. Balfanz; et al. <a href="https://fidoalliance.org/specs/fido-uaf-v1.1-rd-20161005/fido-appid-and-facets-v1.1-rd-20161005.html">FIDO AppID and Facets</a>. FIDO Alliance Review Draft. URL: <a href="https://fidoalliance.org/specs/fido-uaf-v1.1-rd-20161005/fido-appid-and-facets-v1.1-rd-20161005.html">https://fidoalliance.org/specs/fido-uaf-v1.1-rd-20161005/fido-appid-and-facets-v1.1-rd-20161005.html</a>
   <dt id="biblio-fido-u2f-message-formats">[FIDO-U2F-Message-Formats]
   <dd>D. Balfanz; J. Ehrensvard; J. Lang. <a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html">FIDO U2F Raw Message Formats</a>. FIDO Alliance Implementation Draft. URL: <a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html">https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html</a>
   <dt id="biblio-fidometadataservice">[FIDOMetadataService]
   <dd>R. Lindemann; B. Hill; D. Baghdasaryan. <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-metadata-service-v1.0-ps-20141208.html">FIDO Metadata Service v1.0</a>. FIDO Alliance Proposed Standard. URL: <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-metadata-service-v1.0-ps-20141208.html">https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-metadata-service-v1.0-ps-20141208.html</a>
   <dt id="biblio-fidosecref">[FIDOSecRef]
   <dd>R. Lindemann; D. Baghdasaryan; B. Hill. <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-security-ref-v1.0-ps-20141208.html">FIDO Security Reference</a>. FIDO Alliance Proposed Standard. URL: <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-security-ref-v1.0-ps-20141208.html">https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-security-ref-v1.0-ps-20141208.html</a>
   <dt id="biblio-geojson">[GeoJSON]
   <dd><a href="http://geojson.org/geojson-spec.html">The GeoJSON Format Specification</a>. URL: <a href="http://geojson.org/geojson-spec.html">http://geojson.org/geojson-spec.html</a>
   <dt id="biblio-isobiometricvocabulary">[ISOBiometricVocabulary]
   <dd>ISO/IEC JTC1/SC37. <a href="http://standards.iso.org/ittf/PubliclyAvailableStandards/c055194_ISOIEC_2382-37_2012.zip">Information technology — Vocabulary — Biometrics</a>. 15 December 2012. International Standard: ISO/IEC 2382-37:2012(E) First Edition. URL: <a href="http://standards.iso.org/ittf/PubliclyAvailableStandards/c055194_ISOIEC_2382-37_2012.zip">http://standards.iso.org/ittf/PubliclyAvailableStandards/c055194_ISOIEC_2382-37_2012.zip</a>
   <dt id="biblio-rfc4949">[RFC4949]
   <dd>R. Shirey. <a href="https://tools.ietf.org/html/rfc4949">Internet Security Glossary, Version 2</a>. August 2007. Informational. URL: <a href="https://tools.ietf.org/html/rfc4949">https://tools.ietf.org/html/rfc4949</a>
   <dt id="biblio-rfc5280">[RFC5280]
   <dd>D. Cooper; et al. <a href="https://tools.ietf.org/html/rfc5280">Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</a>. May 2008. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc5280">https://tools.ietf.org/html/rfc5280</a>
   <dt id="biblio-rfc6454">[RFC6454]
   <dd>A. Barth. <a href="https://tools.ietf.org/html/rfc6454">The Web Origin Concept</a>. December 2011. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6454">https://tools.ietf.org/html/rfc6454</a>
   <dt id="biblio-rfc7515">[RFC7515]
   <dd>M. Jones; J. Bradley; N. Sakimura. <a href="https://tools.ietf.org/html/rfc7515">JSON Web Signature (JWS)</a>. May 2015. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7515">https://tools.ietf.org/html/rfc7515</a>
   <dt id="biblio-tpmv2-ek-profile">[TPMv2-EK-Profile]
   <dd><a href="http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf">TCG EK Credential Profile for TPM Family 2.0</a>. URL: <a href="http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf">http://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf</a>
   <dt id="biblio-tpmv2-part1">[TPMv2-Part1]
   <dd><a href="http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf">Trusted Platform Module Library, Part 1: Architecture</a>. URL: <a href="http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf">http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf</a>
   <dt id="biblio-tpmv2-part2">[TPMv2-Part2]
   <dd><a href="http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf">Trusted Platform Module Library, Part 2: Structures</a>. URL: <a href="http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf">http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf</a>
   <dt id="biblio-tpmv2-part3">[TPMv2-Part3]
   <dd><a href="http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf">Trusted Platform Module Library, Part 3: Commands</a>. URL: <a href="http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf">http://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf</a>
   <dt id="biblio-uafprotocol">[UAFProtocol]
   <dd>R. Lindemann; et al. <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html">FIDO UAF Protocol Specification v1.0</a>. FIDO Alliance Proposed Standard. URL: <a href="https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html">https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-v1.0-ps-20141208.html</a>
  </dl>
  <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">IDL Index</span><a class="self-link" href="#idl-index"></a></h2>
<pre class="idl def">[<a class="nv idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext">SecureContext</a>]
<span class="kt">interface</span> <a class="nv idl-code" data-link-type="interface" href="#publickeycredential">PublicKeyCredential</a> : <a class="n" data-link-type="idl-name" href="https://w3c.github.io/webappsec-credential-management/#credential">Credential</a> {
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a>           <a class="nv" data-readonly="" data-type="ArrayBuffer" href="#dom-publickeycredential-rawid">rawId</a>;
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n" data-link-type="idl-name" href="#authenticatorresponse">AuthenticatorResponse</a> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="AuthenticatorResponse" href="#dom-publickeycredential-response">response</a>;
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions">AuthenticationExtensions</a> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="AuthenticationExtensions" href="#dom-publickeycredential-clientextensionresults">clientExtensionResults</a>;
};

<span class="kt">partial</span> <span class="kt">dictionary</span> <a class="nv" href="#dictdef-credentialrequestoptions">CredentialRequestOptions</a> {
    <a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialrequestoptions">PublicKeyCredentialRequestOptions</a>? <a class="nv" data-type="PublicKeyCredentialRequestOptions? " href="#dom-credentialrequestoptions-publickey">publicKey</a>;
};

<span class="kt">partial</span> <span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-credential-management/#dictdef-credentialcreationoptions">CredentialCreationOptions</a> {
    <a class="n" data-link-type="idl-name" href="#dictdef-makecredentialoptions">MakeCredentialOptions</a>? <a class="nv" data-type="MakeCredentialOptions? " href="#dom-credentialcreationoptions-publickey">publicKey</a>;
};

[<a class="nv idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext">SecureContext</a>]
<span class="kt">interface</span> <a class="nv idl-code" data-link-type="interface" href="#authenticatorresponse">AuthenticatorResponse</a> {
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="ArrayBuffer" href="#dom-authenticatorresponse-clientdatajson">clientDataJSON</a>;
};

[<a class="nv idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext">SecureContext</a>]
<span class="kt">interface</span> <a class="nv idl-code" data-link-type="interface" href="#authenticatorattestationresponse">AuthenticatorAttestationResponse</a> : <a class="n" data-link-type="idl-name" href="#authenticatorresponse">AuthenticatorResponse</a> {
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="ArrayBuffer" href="#dom-authenticatorattestationresponse-attestationobject">attestationObject</a>;
};

[<a class="nv idl-code" data-link-type="extended-attribute" href="https://heycam.github.io/webidl/#SecureContext">SecureContext</a>]
<span class="kt">interface</span> <a class="nv idl-code" data-link-type="interface" href="#authenticatorassertionresponse">AuthenticatorAssertionResponse</a> : <a class="n" data-link-type="idl-name" href="#authenticatorresponse">AuthenticatorResponse</a> {
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="ArrayBuffer" href="#dom-authenticatorassertionresponse-authenticatordata">authenticatorData</a>;
    <span class="kt">readonly</span> <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-ArrayBuffer"><span class="kt">ArrayBuffer</span></a>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="ArrayBuffer" href="#dom-authenticatorassertionresponse-signature">signature</a>;
};

<span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialparameters">PublicKeyCredentialParameters</a> {
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="#enumdef-publickeycredentialtype">PublicKeyCredentialType</a>  <a class="nv idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialType  " href="#dom-publickeycredentialparameters-type">type</a>;
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="https://www.w3.org/TR/WebCryptoAPI/#dfn-AlgorithmIdentifierS">AlgorithmIdentifier</a>   <a class="nv idl-code" data-link-type="dict-member" data-type="AlgorithmIdentifier   " href="#dom-publickeycredentialparameters-algorithm">algorithm</a>;
};

<span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</a> : <a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialentity">PublicKeyCredentialEntity</a> {
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a> <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-publickeycredentialuserentity-displayname">displayName</a>;
};

<span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-makecredentialoptions">MakeCredentialOptions</a> {
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialentity">PublicKeyCredentialEntity</a> <a class="nv idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialEntity " href="#dom-makecredentialoptions-rp">rp</a>;
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialuserentity">PublicKeyCredentialUserEntity</a> <a class="nv idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialUserEntity " href="#dom-makecredentialoptions-user">user</a>;

    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a>                         <a class="nv idl-code" data-link-type="dict-member" data-type="BufferSource                         " href="#dom-makecredentialoptions-challenge">challenge</a>;
    <span class="kt">required</span> <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialparameters">PublicKeyCredentialParameters</a>> <a class="nv idl-code" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialParameters> " href="#dom-makecredentialoptions-parameters">parameters</a>;

    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long"><span class="kt">unsigned</span> <span class="kt">long</span></a>                        <a class="nv idl-code" data-link-type="dict-member" data-type="unsigned long                        " href="#dom-makecredentialoptions-timeout">timeout</a>;
    <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor">PublicKeyCredentialDescriptor</a>> <a class="nv idl-code" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialDescriptor> " href="#dom-makecredentialoptions-excludelist">excludeList</a>;
    <a class="n" data-link-type="idl-name" href="#dictdef-authenticatorselectioncriteria">AuthenticatorSelectionCriteria</a>       <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticatorSelectionCriteria       " href="#dom-makecredentialoptions-authenticatorselection">authenticatorSelection</a>;
    <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions">AuthenticationExtensions</a>             <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticationExtensions             " href="#dom-makecredentialoptions-extensions">extensions</a>;
};

<span class="kt">dictionary</span> <a class="nv" href="#dictdef-publickeycredentialentity">PublicKeyCredentialEntity</a> {
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a> <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-publickeycredentialentity-id">id</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a> <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-publickeycredentialentity-name">name</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString"><span class="kt">USVString</span></a> <a class="nv idl-code" data-link-type="dict-member" data-type="USVString " href="#dom-publickeycredentialentity-icon">icon</a>;
};

<span class="kt">dictionary</span> <a class="nv" href="#dictdef-authenticatorselectioncriteria">AuthenticatorSelectionCriteria</a> {
    <a class="n" data-link-type="idl-name" href="#enumdef-attachment">Attachment</a>    <a class="nv idl-code" data-link-type="dict-member" data-type="Attachment    " href="#dom-authenticatorselectioncriteria-attachment">attachment</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-boolean"><span class="kt">boolean</span></a>       <a class="nv idl-code" data-default="false" data-link-type="dict-member" data-type="boolean       " href="#dom-authenticatorselectioncriteria-requireresidentkey">requireResidentKey</a> = <span class="kt">false</span>;
};

<span class="kt">enum</span> <a class="nv idl-code" data-link-type="enum" href="#enumdef-attachment">Attachment</a> {
    <a class="s" href="#dom-attachment-platform">"platform"</a>,
    <a class="s" href="#dom-attachment-cross-platform">"cross-platform"</a>
};

<span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialrequestoptions">PublicKeyCredentialRequestOptions</a> {
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a>                <a class="nv idl-code" data-link-type="dict-member" data-type="BufferSource                " href="#dom-publickeycredentialrequestoptions-challenge">challenge</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-long"><span class="kt">unsigned</span> <span class="kt">long</span></a>                        <a class="nv idl-code" data-link-type="dict-member" data-type="unsigned long                        " href="#dom-publickeycredentialrequestoptions-timeout">timeout</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-USVString"><span class="kt">USVString</span></a>                            <a class="nv idl-code" data-link-type="dict-member" data-type="USVString                            " href="#dom-publickeycredentialrequestoptions-rpid">rpId</a>;
    <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#dictdef-publickeycredentialdescriptor">PublicKeyCredentialDescriptor</a>> <a class="nv idl-code" data-default="None" data-link-type="dict-member" data-type="sequence<PublicKeyCredentialDescriptor> " href="#dom-publickeycredentialrequestoptions-allowlist">allowList</a> = [];
    <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions">AuthenticationExtensions</a>             <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticationExtensions             " href="#dom-publickeycredentialrequestoptions-extensions">extensions</a>;
};

<span class="kt">typedef</span> <span class="kt">record</span>&lt;<span class="kt">DOMString</span>, <span class="kt">any</span>> <a class="nv" href="#typedefdef-authenticationextensions">AuthenticationExtensions</a>;

<span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-collectedclientdata">CollectedClientData</a> {
    <span class="kt">required</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a>           <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-challenge">challenge</a>;
    <span class="kt">required</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a>           <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-origin">origin</a>;
    <span class="kt">required</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a>           <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString           " href="#dom-collectedclientdata-hashalg">hashAlg</a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString"><span class="kt">DOMString</span></a>                    <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString                    " href="#dom-collectedclientdata-tokenbinding">tokenBinding</a>;
    <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions">AuthenticationExtensions</a>     <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticationExtensions     " href="#dom-collectedclientdata-clientextensions">clientExtensions</a>;
    <a class="n" data-link-type="idl-name" href="#typedefdef-authenticationextensions">AuthenticationExtensions</a>     <a class="nv idl-code" data-link-type="dict-member" data-type="AuthenticationExtensions     " href="#dom-collectedclientdata-authenticatorextensions">authenticatorExtensions</a>;
};

<span class="kt">enum</span> <a class="nv idl-code" data-link-type="enum" href="#enumdef-publickeycredentialtype">PublicKeyCredentialType</a> {
    <a class="s idl-code" data-link-type="enum-value" href="#dom-publickeycredentialtype-public-key">"public-key"</a>
};

<span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="#dictdef-publickeycredentialdescriptor">PublicKeyCredentialDescriptor</a> {
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="#enumdef-publickeycredentialtype">PublicKeyCredentialType</a> <a class="nv idl-code" data-link-type="dict-member" data-type="PublicKeyCredentialType " href="#dom-publickeycredentialdescriptor-type">type</a>;
    <span class="kt">required</span> <a class="n" data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a> <a class="nv idl-code" data-link-type="dict-member" data-type="BufferSource " href="#dom-publickeycredentialdescriptor-id">id</a>;
    <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#enumdef-transport">Transport</a>>   <a class="nv" data-type="sequence<Transport>   " href="#dom-publickeycredentialdescriptor-transports">transports</a>;
};

<span class="kt">enum</span> <a class="nv" href="#enumdef-transport">Transport</a> {
    <a class="s idl-code" data-link-type="enum-value" href="#dom-transport-usb">"usb"</a>,
    <a class="s idl-code" data-link-type="enum-value" href="#dom-transport-nfc">"nfc"</a>,
    <a class="s idl-code" data-link-type="enum-value" href="#dom-transport-ble">"ble"</a>
};

<span class="kt">typedef</span> <span class="kt">sequence</span>&lt;<a class="n" data-link-type="idl-name" href="#typedefdef-aaguid">AAGUID</a>> <a class="nv" href="#typedefdef-authenticatorselectionlist">AuthenticatorSelectionList</a>;

<span class="kt">typedef</span> <a class="n" data-link-type="idl-name" href="https://heycam.github.io/webidl/#BufferSource">BufferSource</a> <a class="nv" href="#typedefdef-aaguid">AAGUID</a>;

</pre>
  <aside class="dfn-panel" data-for="base64url-encoding">
   <b><a href="#base64url-encoding">#base64url-encoding</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-base64url-encoding-1">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-base64url-encoding-2">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-base64url-encoding-3">(2)</a>
    <li><a href="#ref-for-base64url-encoding-4">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-base64url-encoding-5">(2)</a>
    <li><a href="#ref-for-base64url-encoding-6">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="cbor">
   <b><a href="#cbor">#cbor</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-cbor-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-cbor-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-cbor-3">5.1. Authenticator data</a> <a href="#ref-for-cbor-4">(2)</a>
    <li><a href="#ref-for-cbor-5">8. WebAuthn Extensions</a> <a href="#ref-for-cbor-6">(2)</a> <a href="#ref-for-cbor-7">(3)</a>
    <li><a href="#ref-for-cbor-8">8.2. Defining extensions</a> <a href="#ref-for-cbor-9">(2)</a>
    <li><a href="#ref-for-cbor-10">8.3. Extending request parameters</a>
    <li><a href="#ref-for-cbor-11">8.4. Client extension processing</a> <a href="#ref-for-cbor-12">(2)</a>
    <li><a href="#ref-for-cbor-13">8.5. Authenticator extension processing</a> <a href="#ref-for-cbor-14">(2)</a> <a href="#ref-for-cbor-15">(3)</a> <a href="#ref-for-cbor-16">(4)</a> <a href="#ref-for-cbor-17">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-objects">
   <b><a href="#attestation-objects">#attestation-objects</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-objects-1">4. Web Authentication API</a>
    <li><a href="#ref-for-attestation-objects-2">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-attestation-objects-3">(2)</a>
    <li><a href="#ref-for-attestation-objects-4">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-attestation-objects-5">(2)</a>
    <li><a href="#ref-for-attestation-objects-6">5.2.1. The authenticatorMakeCredential operation</a> <a href="#ref-for-attestation-objects-7">(2)</a>
    <li><a href="#ref-for-attestation-objects-8">5.3. Credential Attestation</a> <a href="#ref-for-attestation-objects-9">(2)</a>
    <li><a href="#ref-for-attestation-objects-10">5.3.1. Attestation data</a>
    <li><a href="#ref-for-attestation-objects-11">5.3.4. Generating an Attestation Object</a> <a href="#ref-for-attestation-objects-12">(2)</a> <a href="#ref-for-attestation-objects-13">(3)</a> <a href="#ref-for-attestation-objects-14">(4)</a>
    <li><a href="#ref-for-attestation-objects-15">6.1. Registering a new credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-certificate">
   <b><a href="#attestation-certificate">#attestation-certificate</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-certificate-1">3. Terminology</a> <a href="#ref-for-attestation-certificate-2">(2)</a>
    <li><a href="#ref-for-attestation-certificate-3">7.3.1. TPM attestation statement certificate requirements</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-key-pair">
   <b><a href="#attestation-key-pair">#attestation-key-pair</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-key-pair-1">3. Terminology</a> <a href="#ref-for-attestation-key-pair-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authentication">
   <b><a href="#authentication">#authentication</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication-1">1. Introduction</a> <a href="#ref-for-authentication-2">(2)</a>
    <li><a href="#ref-for-authentication-3">3. Terminology</a> <a href="#ref-for-authentication-4">(2)</a> <a href="#ref-for-authentication-5">(3)</a> <a href="#ref-for-authentication-6">(4)</a> <a href="#ref-for-authentication-7">(5)</a>
    <li><a href="#ref-for-authentication-8">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authentication-assertion">
   <b><a href="#authentication-assertion">#authentication-assertion</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication-assertion-1">1. Introduction</a>
    <li><a href="#ref-for-authentication-assertion-2">3. Terminology</a> <a href="#ref-for-authentication-assertion-3">(2)</a> <a href="#ref-for-authentication-assertion-4">(3)</a>
    <li><a href="#ref-for-authentication-assertion-5">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-authentication-assertion-6">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-authentication-assertion-7">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-authentication-assertion-8">8. WebAuthn Extensions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator">
   <b><a href="#authenticator">#authenticator</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-1">1. Introduction</a> <a href="#ref-for-authenticator-2">(2)</a> <a href="#ref-for-authenticator-3">(3)</a> <a href="#ref-for-authenticator-4">(4)</a>
    <li><a href="#ref-for-authenticator-5">1.1. Use Cases</a>
    <li><a href="#ref-for-authenticator-6">2. Conformance</a>
    <li><a href="#ref-for-authenticator-7">3. Terminology</a> <a href="#ref-for-authenticator-8">(2)</a> <a href="#ref-for-authenticator-9">(3)</a> <a href="#ref-for-authenticator-10">(4)</a> <a href="#ref-for-authenticator-11">(5)</a> <a href="#ref-for-authenticator-12">(6)</a> <a href="#ref-for-authenticator-13">(7)</a> <a href="#ref-for-authenticator-14">(8)</a> <a href="#ref-for-authenticator-15">(9)</a> <a href="#ref-for-authenticator-16">(10)</a> <a href="#ref-for-authenticator-17">(11)</a> <a href="#ref-for-authenticator-18">(12)</a>
    <li><a href="#ref-for-authenticator-19">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-authenticator-20">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-authenticator-21">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-authenticator-22">4.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-authenticator-23">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-authenticator-24">(2)</a>
    <li><a href="#ref-for-authenticator-25">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-authenticator-26">4.5.3. Credential Attachment enumeration (enum Attachment)</a>
    <li><a href="#ref-for-authenticator-27">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-authenticator-28">5. WebAuthn Authenticator model</a>
    <li><a href="#ref-for-authenticator-29">5.1. Authenticator data</a>
    <li><a href="#ref-for-authenticator-30">5.3. Credential Attestation</a>
    <li><a href="#ref-for-authenticator-31">5.3.5.1. Privacy</a>
    <li><a href="#ref-for-authenticator-32">5.3.5.2. Attestation Certificate and Attestation Certificate CA Compromise</a>
    <li><a href="#ref-for-authenticator-33">6.1. Registering a new credential</a>
    <li><a href="#ref-for-authenticator-34">7.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-35">7.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-36">7.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-37">9.5. Supported Extensions Extension (exts)</a>
    <li><a href="#ref-for-authenticator-38">9.6. User Verification Index Extension (uvi)</a>
    <li><a href="#ref-for-authenticator-39">9.7. Location Extension (loc)</a> <a href="#ref-for-authenticator-40">(2)</a> <a href="#ref-for-authenticator-41">(3)</a> <a href="#ref-for-authenticator-42">(4)</a>
    <li><a href="#ref-for-authenticator-43">9.8. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-authenticator-44">11. Sample scenarios</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authorization-gesture">
   <b><a href="#authorization-gesture">#authorization-gesture</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authorization-gesture-1">1.1.1. Registration</a>
    <li><a href="#ref-for-authorization-gesture-2">1.1.2. Authentication</a>
    <li><a href="#ref-for-authorization-gesture-3">1.1.3. Other use cases and configurations</a>
    <li><a href="#ref-for-authorization-gesture-4">3. Terminology</a> <a href="#ref-for-authorization-gesture-5">(2)</a> <a href="#ref-for-authorization-gesture-6">(3)</a> <a href="#ref-for-authorization-gesture-7">(4)</a> <a href="#ref-for-authorization-gesture-8">(5)</a> <a href="#ref-for-authorization-gesture-9">(6)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="biometric-recognition">
   <b><a href="#biometric-recognition">#biometric-recognition</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-biometric-recognition-1">3. Terminology</a> <a href="#ref-for-biometric-recognition-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="ceremony">
   <b><a href="#ceremony">#ceremony</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ceremony-1">1. Introduction</a>
    <li><a href="#ref-for-ceremony-2">3. Terminology</a> <a href="#ref-for-ceremony-3">(2)</a> <a href="#ref-for-ceremony-4">(3)</a> <a href="#ref-for-ceremony-5">(4)</a> <a href="#ref-for-ceremony-6">(5)</a> <a href="#ref-for-ceremony-7">(6)</a> <a href="#ref-for-ceremony-8">(7)</a>
    <li><a href="#ref-for-ceremony-9">6.1. Registering a new credential</a>
    <li><a href="#ref-for-ceremony-10">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client">
   <b><a href="#client">#client</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-1">3. Terminology</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="conforming-user-agent">
   <b><a href="#conforming-user-agent">#conforming-user-agent</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-conforming-user-agent-1">1. Introduction</a>
    <li><a href="#ref-for-conforming-user-agent-2">2. Conformance</a> <a href="#ref-for-conforming-user-agent-3">(2)</a> <a href="#ref-for-conforming-user-agent-4">(3)</a>
    <li><a href="#ref-for-conforming-user-agent-5">3. Terminology</a> <a href="#ref-for-conforming-user-agent-6">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-public-key">
   <b><a href="#credential-public-key">#credential-public-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-public-key-1">3. Terminology</a>
    <li><a href="#ref-for-credential-public-key-2">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-credential-public-key-3">5.1. Authenticator data</a>
    <li><a href="#ref-for-credential-public-key-4">7.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-credential-public-key-5">11.1. Registration</a> <a href="#ref-for-credential-public-key-6">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-key-pair">
   <b><a href="#credential-key-pair">#credential-key-pair</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-key-pair-1">3. Terminology</a> <a href="#ref-for-credential-key-pair-2">(2)</a>
    <li><a href="#ref-for-credential-key-pair-3">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="credential-private-key">
   <b><a href="#credential-private-key">#credential-private-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-credential-private-key-1">3. Terminology</a> <a href="#ref-for-credential-private-key-2">(2)</a>
    <li><a href="#ref-for-credential-private-key-3">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-credential-private-key-4">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="registration">
   <b><a href="#registration">#registration</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-registration-1">1. Introduction</a> <a href="#ref-for-registration-2">(2)</a>
    <li><a href="#ref-for-registration-3">3. Terminology</a> <a href="#ref-for-registration-4">(2)</a> <a href="#ref-for-registration-5">(3)</a> <a href="#ref-for-registration-6">(4)</a> <a href="#ref-for-registration-7">(5)</a> <a href="#ref-for-registration-8">(6)</a> <a href="#ref-for-registration-9">(7)</a>
    <li><a href="#ref-for-registration-10">6.1. Registering a new credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="relying-party">
   <b><a href="#relying-party">#relying-party</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-relying-party-1">1. Introduction</a> <a href="#ref-for-relying-party-2">(2)</a> <a href="#ref-for-relying-party-3">(3)</a> <a href="#ref-for-relying-party-4">(4)</a> <a href="#ref-for-relying-party-5">(5)</a>
    <li><a href="#ref-for-relying-party-6">1.1.3. Other use cases and configurations</a>
    <li><a href="#ref-for-relying-party-7">3. Terminology</a> <a href="#ref-for-relying-party-8">(2)</a> <a href="#ref-for-relying-party-9">(3)</a> <a href="#ref-for-relying-party-10">(4)</a> <a href="#ref-for-relying-party-11">(5)</a> <a href="#ref-for-relying-party-12">(6)</a> <a href="#ref-for-relying-party-13">(7)</a> <a href="#ref-for-relying-party-14">(8)</a> <a href="#ref-for-relying-party-15">(9)</a> <a href="#ref-for-relying-party-16">(10)</a> <a href="#ref-for-relying-party-17">(11)</a> <a href="#ref-for-relying-party-18">(12)</a> <a href="#ref-for-relying-party-19">(13)</a> <a href="#ref-for-relying-party-20">(14)</a>
    <li><a href="#ref-for-relying-party-21">4. Web Authentication API</a> <a href="#ref-for-relying-party-22">(2)</a> <a href="#ref-for-relying-party-23">(3)</a>
    <li><a href="#ref-for-relying-party-24">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-relying-party-25">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-relying-party-26">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-relying-party-27">(2)</a> <a href="#ref-for-relying-party-28">(3)</a> <a href="#ref-for-relying-party-29">(4)</a> <a href="#ref-for-relying-party-30">(5)</a>
    <li><a href="#ref-for-relying-party-31">4.5.1. Entity Description</a> <a href="#ref-for-relying-party-32">(2)</a> <a href="#ref-for-relying-party-33">(3)</a> <a href="#ref-for-relying-party-34">(4)</a> <a href="#ref-for-relying-party-35">(5)</a>
    <li><a href="#ref-for-relying-party-36">4.5.2. Authenticator Selection Criteria</a> <a href="#ref-for-relying-party-37">(2)</a>
    <li><a href="#ref-for-relying-party-38">4.5.3. Credential Attachment enumeration (enum Attachment)</a> <a href="#ref-for-relying-party-39">(2)</a>
    <li><a href="#ref-for-relying-party-40">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a> <a href="#ref-for-relying-party-41">(2)</a> <a href="#ref-for-relying-party-42">(3)</a> <a href="#ref-for-relying-party-43">(4)</a>
    <li><a href="#ref-for-relying-party-44">4.8.4. Credential Transport enumeration (enum ExternalTransport)</a> <a href="#ref-for-relying-party-45">(2)</a>
    <li><a href="#ref-for-relying-party-46">5. WebAuthn Authenticator model</a> <a href="#ref-for-relying-party-47">(2)</a>
    <li><a href="#ref-for-relying-party-48">5.1. Authenticator data</a> <a href="#ref-for-relying-party-49">(2)</a>
    <li><a href="#ref-for-relying-party-50">5.2.1. The authenticatorMakeCredential operation</a> <a href="#ref-for-relying-party-51">(2)</a> <a href="#ref-for-relying-party-52">(3)</a> <a href="#ref-for-relying-party-53">(4)</a>
    <li><a href="#ref-for-relying-party-54">5.2.2. The authenticatorGetAssertion operation</a> <a href="#ref-for-relying-party-55">(2)</a> <a href="#ref-for-relying-party-56">(3)</a>
    <li><a href="#ref-for-relying-party-57">5.3. Credential Attestation</a> <a href="#ref-for-relying-party-58">(2)</a> <a href="#ref-for-relying-party-59">(3)</a>
    <li><a href="#ref-for-relying-party-60">5.3.5.1. Privacy</a>
    <li><a href="#ref-for-relying-party-61">5.3.5.2. Attestation Certificate and Attestation Certificate CA Compromise</a> <a href="#ref-for-relying-party-62">(2)</a> <a href="#ref-for-relying-party-63">(3)</a> <a href="#ref-for-relying-party-64">(4)</a> <a href="#ref-for-relying-party-65">(5)</a>
    <li><a href="#ref-for-relying-party-66">6. Relying Party Operations</a> <a href="#ref-for-relying-party-67">(2)</a> <a href="#ref-for-relying-party-68">(3)</a> <a href="#ref-for-relying-party-69">(4)</a>
    <li><a href="#ref-for-relying-party-70">6.1. Registering a new credential</a> <a href="#ref-for-relying-party-71">(2)</a> <a href="#ref-for-relying-party-72">(3)</a> <a href="#ref-for-relying-party-73">(4)</a> <a href="#ref-for-relying-party-74">(5)</a> <a href="#ref-for-relying-party-75">(6)</a> <a href="#ref-for-relying-party-76">(7)</a> <a href="#ref-for-relying-party-77">(8)</a> <a href="#ref-for-relying-party-78">(9)</a> <a href="#ref-for-relying-party-79">(10)</a> <a href="#ref-for-relying-party-80">(11)</a> <a href="#ref-for-relying-party-81">(12)</a> <a href="#ref-for-relying-party-82">(13)</a>
    <li><a href="#ref-for-relying-party-83">6.2. Verifying an authentication assertion</a> <a href="#ref-for-relying-party-84">(2)</a> <a href="#ref-for-relying-party-85">(3)</a> <a href="#ref-for-relying-party-86">(4)</a>
    <li><a href="#ref-for-relying-party-87">7.4. Android Key Attestation Statement Format</a>
    <li><a href="#ref-for-relying-party-88">8. WebAuthn Extensions</a> <a href="#ref-for-relying-party-89">(2)</a> <a href="#ref-for-relying-party-90">(3)</a>
    <li><a href="#ref-for-relying-party-91">8.2. Defining extensions</a> <a href="#ref-for-relying-party-92">(2)</a>
    <li><a href="#ref-for-relying-party-93">8.3. Extending request parameters</a> <a href="#ref-for-relying-party-94">(2)</a> <a href="#ref-for-relying-party-95">(3)</a> <a href="#ref-for-relying-party-96">(4)</a>
    <li><a href="#ref-for-relying-party-97">8.6. Example Extension</a> <a href="#ref-for-relying-party-98">(2)</a> <a href="#ref-for-relying-party-99">(3)</a>
    <li><a href="#ref-for-relying-party-100">9.2. Simple Transaction Authorization Extension (txAuthSimple)</a>
    <li><a href="#ref-for-relying-party-101">9.4. Authenticator Selection Extension (authnSel)</a> <a href="#ref-for-relying-party-102">(2)</a>
    <li><a href="#ref-for-relying-party-103">9.5. Supported Extensions Extension (exts)</a> <a href="#ref-for-relying-party-104">(2)</a>
    <li><a href="#ref-for-relying-party-105">9.6. User Verification Index Extension (uvi)</a>
    <li><a href="#ref-for-relying-party-106">9.7. Location Extension (loc)</a>
    <li><a href="#ref-for-relying-party-107">10.2. WebAuthn Extension Identifier Registrations</a>
    <li><a href="#ref-for-relying-party-108">11.1. Registration</a> <a href="#ref-for-relying-party-109">(2)</a> <a href="#ref-for-relying-party-110">(3)</a> <a href="#ref-for-relying-party-111">(4)</a>
    <li><a href="#ref-for-relying-party-112">11.2. Authentication</a> <a href="#ref-for-relying-party-113">(2)</a> <a href="#ref-for-relying-party-114">(3)</a> <a href="#ref-for-relying-party-115">(4)</a> <a href="#ref-for-relying-party-116">(5)</a>
    <li><a href="#ref-for-relying-party-117">11.3. Decommissioning</a> <a href="#ref-for-relying-party-118">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="relying-party-identifier">
   <b><a href="#relying-party-identifier">#relying-party-identifier</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-relying-party-identifier-1">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
    <li><a href="#ref-for-relying-party-identifier-2">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-relying-party-identifier-3">5. WebAuthn Authenticator model</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="rp-id">
   <b><a href="#rp-id">#rp-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-rp-id-1">3. Terminology</a> <a href="#ref-for-rp-id-2">(2)</a>
    <li><a href="#ref-for-rp-id-3">5. WebAuthn Authenticator model</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="public-key-credential">
   <b><a href="#public-key-credential">#public-key-credential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-public-key-credential-1">1. Introduction</a> <a href="#ref-for-public-key-credential-2">(2)</a> <a href="#ref-for-public-key-credential-3">(3)</a> <a href="#ref-for-public-key-credential-4">(4)</a> <a href="#ref-for-public-key-credential-5">(5)</a>
    <li><a href="#ref-for-public-key-credential-6">3. Terminology</a> <a href="#ref-for-public-key-credential-7">(2)</a> <a href="#ref-for-public-key-credential-8">(3)</a> <a href="#ref-for-public-key-credential-9">(4)</a> <a href="#ref-for-public-key-credential-10">(5)</a> <a href="#ref-for-public-key-credential-11">(6)</a>
    <li><a href="#ref-for-public-key-credential-12">4. Web Authentication API</a>
    <li><a href="#ref-for-public-key-credential-13">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-public-key-credential-14">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-public-key-credential-15">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-public-key-credential-16">4.5.2. Authenticator Selection Criteria</a>
    <li><a href="#ref-for-public-key-credential-17">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-public-key-credential-18">4.8. Supporting Data Structures</a>
    <li><a href="#ref-for-public-key-credential-19">5. WebAuthn Authenticator model</a> <a href="#ref-for-public-key-credential-20">(2)</a> <a href="#ref-for-public-key-credential-21">(3)</a>
    <li><a href="#ref-for-public-key-credential-22">5.3.3. Attestation Types</a>
    <li><a href="#ref-for-public-key-credential-23">5.3.5.2. Attestation Certificate and Attestation Certificate CA Compromise</a> <a href="#ref-for-public-key-credential-24">(2)</a>
    <li><a href="#ref-for-public-key-credential-25">6.1. Registering a new credential</a>
    <li><a href="#ref-for-public-key-credential-26">8. WebAuthn Extensions</a> <a href="#ref-for-public-key-credential-27">(2)</a>
    <li><a href="#ref-for-public-key-credential-28">11. Sample scenarios</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="test-of-user-presence">
   <b><a href="#test-of-user-presence">#test-of-user-presence</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-test-of-user-presence-1">3. Terminology</a> <a href="#ref-for-test-of-user-presence-2">(2)</a>
    <li><a href="#ref-for-test-of-user-presence-3">5.1. Authenticator data</a>
    <li><a href="#ref-for-test-of-user-presence-4">9.2. Simple Transaction Authorization Extension (txAuthSimple)</a>
    <li><a href="#ref-for-test-of-user-presence-5">9.3. Generic Transaction Authorization Extension (txAuthGeneric)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="tup">
   <b><a href="#tup">#tup</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-tup-1">3. Terminology</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-side-resident-credential-private-key">
   <b><a href="#client-side-resident-credential-private-key">#client-side-resident-credential-private-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-side-resident-credential-private-key-1">3. Terminology</a> <a href="#ref-for-client-side-resident-credential-private-key-2">(2)</a>
    <li><a href="#ref-for-client-side-resident-credential-private-key-3">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-client-side-resident-credential-private-key-4">4.5.2. Authenticator Selection Criteria</a> <a href="#ref-for-client-side-resident-credential-private-key-5">(2)</a>
    <li><a href="#ref-for-client-side-resident-credential-private-key-6">5.2.1. The authenticatorMakeCredential operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="user-consent">
   <b><a href="#user-consent">#user-consent</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-consent-1">1. Introduction</a>
    <li><a href="#ref-for-user-consent-2">3. Terminology</a> <a href="#ref-for-user-consent-3">(2)</a>
    <li><a href="#ref-for-user-consent-4">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-user-consent-5">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="user-verification">
   <b><a href="#user-verification">#user-verification</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-user-verification-1">1. Introduction</a>
    <li><a href="#ref-for-user-verification-2">3. Terminology</a> <a href="#ref-for-user-verification-3">(2)</a> <a href="#ref-for-user-verification-4">(3)</a> <a href="#ref-for-user-verification-5">(4)</a> <a href="#ref-for-user-verification-6">(5)</a> <a href="#ref-for-user-verification-7">(6)</a> <a href="#ref-for-user-verification-8">(7)</a>
    <li><a href="#ref-for-user-verification-9">9.2. Simple Transaction Authorization Extension (txAuthSimple)</a>
    <li><a href="#ref-for-user-verification-10">9.3. Generic Transaction Authorization Extension (txAuthGeneric)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="webauthn-client">
   <b><a href="#webauthn-client">#webauthn-client</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-webauthn-client-1">3. Terminology</a> <a href="#ref-for-webauthn-client-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="web-authentication-api">
   <b><a href="#web-authentication-api">#web-authentication-api</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-web-authentication-api-1">1. Introduction</a> <a href="#ref-for-web-authentication-api-2">(2)</a> <a href="#ref-for-web-authentication-api-3">(3)</a>
    <li><a href="#ref-for-web-authentication-api-4">3. Terminology</a> <a href="#ref-for-web-authentication-api-5">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="publickeycredential">
   <b><a href="#publickeycredential">#publickeycredential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-publickeycredential-1">1. Introduction</a>
    <li><a href="#ref-for-publickeycredential-2">4.1. PublicKeyCredential Interface</a> <a href="#ref-for-publickeycredential-3">(2)</a> <a href="#ref-for-publickeycredential-4">(3)</a> <a href="#ref-for-publickeycredential-5">(4)</a> <a href="#ref-for-publickeycredential-6">(5)</a> <a href="#ref-for-publickeycredential-7">(6)</a> <a href="#ref-for-publickeycredential-8">(7)</a> <a href="#ref-for-publickeycredential-9">(8)</a>
    <li><a href="#ref-for-publickeycredential-10">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-publickeycredential-11">(2)</a> <a href="#ref-for-publickeycredential-12">(3)</a> <a href="#ref-for-publickeycredential-13">(4)</a> <a href="#ref-for-publickeycredential-14">(5)</a> <a href="#ref-for-publickeycredential-15">(6)</a>
    <li><a href="#ref-for-publickeycredential-16">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-publickeycredential-17">(2)</a>
    <li><a href="#ref-for-publickeycredential-18">4.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-publickeycredential-19">5.2.1. The authenticatorMakeCredential operation</a> <a href="#ref-for-publickeycredential-20">(2)</a>
    <li><a href="#ref-for-publickeycredential-21">6. Relying Party Operations</a>
    <li><a href="#ref-for-publickeycredential-22">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-rawid">
   <b><a href="#dom-publickeycredential-rawid">#dom-publickeycredential-rawid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-rawid-1">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-publickeycredential-rawid-2">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-response">
   <b><a href="#dom-publickeycredential-response">#dom-publickeycredential-response</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-response-1">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-publickeycredential-response-2">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredential-response-3">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredential-response-4">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-clientextensionresults">
   <b><a href="#dom-publickeycredential-clientextensionresults">#dom-publickeycredential-clientextensionresults</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-clientextensionresults-1">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-dom-publickeycredential-clientextensionresults-2">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredential-clientextensionresults-3">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredential-clientextensionresults-4">8.4. Client extension processing</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-identifier-slot">
   <b><a href="#dom-publickeycredential-identifier-slot">#dom-publickeycredential-identifier-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-identifier-slot-1">4.1. PublicKeyCredential Interface</a> <a href="#ref-for-dom-publickeycredential-identifier-slot-2">(2)</a>
    <li><a href="#ref-for-dom-publickeycredential-identifier-slot-3">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredential-identifier-slot-4">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-credentialrequestoptions">
   <b><a href="#dictdef-credentialrequestoptions">#dictdef-credentialrequestoptions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-credentialrequestoptions-1">4.1.1. CredentialRequestOptions Extension</a>
    <li><a href="#ref-for-dictdef-credentialrequestoptions-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-credentialrequestoptions-publickey">
   <b><a href="#dom-credentialrequestoptions-publickey">#dom-credentialrequestoptions-publickey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialrequestoptions-publickey-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-credentialrequestoptions-publickey-2">(2)</a>
    <li><a href="#ref-for-dom-credentialrequestoptions-publickey-3">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-credentialcreationoptions-publickey">
   <b><a href="#dom-credentialcreationoptions-publickey">#dom-credentialcreationoptions-publickey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-credentialcreationoptions-publickey-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-create-slot">
   <b><a href="#dom-publickeycredential-create-slot">#dom-publickeycredential-create-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-create-slot-1">4.1. PublicKeyCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-create-options-options">
   <b><a href="#dom-publickeycredential-create-options-options">#dom-publickeycredential-create-options-options</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-create-options-options-1">6.1. Registering a new credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredential-discoverfromexternalsource-slot">
   <b><a href="#dom-publickeycredential-discoverfromexternalsource-slot">#dom-publickeycredential-discoverfromexternalsource-slot</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredential-discoverfromexternalsource-slot-1">4.1. PublicKeyCredential Interface</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorresponse">
   <b><a href="#authenticatorresponse">#authenticatorresponse</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorresponse-1">4.1. PublicKeyCredential Interface</a> <a href="#ref-for-authenticatorresponse-2">(2)</a>
    <li><a href="#ref-for-authenticatorresponse-3">4.2. Authenticator Responses (interface AuthenticatorResponse)</a> <a href="#ref-for-authenticatorresponse-4">(2)</a>
    <li><a href="#ref-for-authenticatorresponse-5">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-authenticatorresponse-6">(2)</a>
    <li><a href="#ref-for-authenticatorresponse-7">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a> <a href="#ref-for-authenticatorresponse-8">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorresponse-clientdatajson">
   <b><a href="#dom-authenticatorresponse-clientdatajson">#dom-authenticatorresponse-clientdatajson</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-authenticatorresponse-clientdatajson-2">(2)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson-3">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-dom-authenticatorresponse-clientdatajson-4">(2)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson-5">4.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson-6">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson-7">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson-8">6.1. Registering a new credential</a> <a href="#ref-for-dom-authenticatorresponse-clientdatajson-9">(2)</a>
    <li><a href="#ref-for-dom-authenticatorresponse-clientdatajson-10">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorattestationresponse">
   <b><a href="#authenticatorattestationresponse">#authenticatorattestationresponse</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorattestationresponse-1">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-authenticatorattestationresponse-2">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-authenticatorattestationresponse-3">(2)</a>
    <li><a href="#ref-for-authenticatorattestationresponse-4">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-authenticatorattestationresponse-5">(2)</a>
    <li><a href="#ref-for-authenticatorattestationresponse-6">6. Relying Party Operations</a>
    <li><a href="#ref-for-authenticatorattestationresponse-7">6.1. Registering a new credential</a> <a href="#ref-for-authenticatorattestationresponse-8">(2)</a> <a href="#ref-for-authenticatorattestationresponse-9">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorattestationresponse-attestationobject">
   <b><a href="#dom-authenticatorattestationresponse-attestationobject">#dom-authenticatorattestationresponse-attestationobject</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-attestationobject-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-attestationobject-2">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-dom-authenticatorattestationresponse-attestationobject-3">6.1. Registering a new credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorassertionresponse">
   <b><a href="#authenticatorassertionresponse">#authenticatorassertionresponse</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorassertionresponse-1">3. Terminology</a>
    <li><a href="#ref-for-authenticatorassertionresponse-2">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-authenticatorassertionresponse-3">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-authenticatorassertionresponse-4">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a> <a href="#ref-for-authenticatorassertionresponse-5">(2)</a>
    <li><a href="#ref-for-authenticatorassertionresponse-6">6. Relying Party Operations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorassertionresponse-authenticatordata">
   <b><a href="#dom-authenticatorassertionresponse-authenticatordata">#dom-authenticatorassertionresponse-authenticatordata</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-authenticatordata-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-dom-authenticatorassertionresponse-authenticatordata-2">(2)</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-authenticatordata-3">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-authenticatordata-4">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorassertionresponse-signature">
   <b><a href="#dom-authenticatorassertionresponse-signature">#dom-authenticatorassertionresponse-signature</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-signature-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-dom-authenticatorassertionresponse-signature-2">(2)</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-signature-3">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-dom-authenticatorassertionresponse-signature-4">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialparameters">
   <b><a href="#dictdef-publickeycredentialparameters">#dictdef-publickeycredentialparameters</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialparameters-1">4.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialparameters-2">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-dictdef-publickeycredentialparameters-3">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialparameters-type">
   <b><a href="#dom-publickeycredentialparameters-type">#dom-publickeycredentialparameters-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialparameters-type-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-publickeycredentialparameters-type-2">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialparameters-type-3">4.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialparameters-algorithm">
   <b><a href="#dom-publickeycredentialparameters-algorithm">#dom-publickeycredentialparameters-algorithm</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialparameters-algorithm-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredentialparameters-algorithm-2">4.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialuserentity">
   <b><a href="#dictdef-publickeycredentialuserentity">#dictdef-publickeycredentialuserentity</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialuserentity-1">4.4. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialuserentity-2">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-dictdef-publickeycredentialuserentity-3">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialuserentity-displayname">
   <b><a href="#dom-publickeycredentialuserentity-displayname">#dom-publickeycredentialuserentity-displayname</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-displayname-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-displayname-2">4.4. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
    <li><a href="#ref-for-dom-publickeycredentialuserentity-displayname-3">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-makecredentialoptions">
   <b><a href="#dictdef-makecredentialoptions">#dictdef-makecredentialoptions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-makecredentialoptions-1">4.1.2. CredentialCreationOptions Extension</a>
    <li><a href="#ref-for-dictdef-makecredentialoptions-2">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dictdef-makecredentialoptions-3">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-makecredentialoptions-rp">
   <b><a href="#dom-makecredentialoptions-rp">#dom-makecredentialoptions-rp</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-makecredentialoptions-rp-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-makecredentialoptions-rp-2">(2)</a> <a href="#ref-for-dom-makecredentialoptions-rp-3">(3)</a> <a href="#ref-for-dom-makecredentialoptions-rp-4">(4)</a> <a href="#ref-for-dom-makecredentialoptions-rp-5">(5)</a>
    <li><a href="#ref-for-dom-makecredentialoptions-rp-6">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-makecredentialoptions-user">
   <b><a href="#dom-makecredentialoptions-user">#dom-makecredentialoptions-user</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-makecredentialoptions-user-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-makecredentialoptions-user-2">(2)</a> <a href="#ref-for-dom-makecredentialoptions-user-3">(3)</a> <a href="#ref-for-dom-makecredentialoptions-user-4">(4)</a>
    <li><a href="#ref-for-dom-makecredentialoptions-user-5">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
    <li><a href="#ref-for-dom-makecredentialoptions-user-6">5.2.1. The authenticatorMakeCredential operation</a> <a href="#ref-for-dom-makecredentialoptions-user-7">(2)</a>
    <li><a href="#ref-for-dom-makecredentialoptions-user-8">6.1. Registering a new credential</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-makecredentialoptions-challenge">
   <b><a href="#dom-makecredentialoptions-challenge">#dom-makecredentialoptions-challenge</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-makecredentialoptions-challenge-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-makecredentialoptions-challenge-2">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-makecredentialoptions-parameters">
   <b><a href="#dom-makecredentialoptions-parameters">#dom-makecredentialoptions-parameters</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-makecredentialoptions-parameters-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-makecredentialoptions-parameters-2">(2)</a>
    <li><a href="#ref-for-dom-makecredentialoptions-parameters-3">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-makecredentialoptions-timeout">
   <b><a href="#dom-makecredentialoptions-timeout">#dom-makecredentialoptions-timeout</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-makecredentialoptions-timeout-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-makecredentialoptions-timeout-2">(2)</a>
    <li><a href="#ref-for-dom-makecredentialoptions-timeout-3">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-makecredentialoptions-excludelist">
   <b><a href="#dom-makecredentialoptions-excludelist">#dom-makecredentialoptions-excludelist</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-makecredentialoptions-excludelist-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-makecredentialoptions-excludelist-2">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-makecredentialoptions-authenticatorselection">
   <b><a href="#dom-makecredentialoptions-authenticatorselection">#dom-makecredentialoptions-authenticatorselection</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-makecredentialoptions-authenticatorselection-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-makecredentialoptions-authenticatorselection-2">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
    <li><a href="#ref-for-dom-makecredentialoptions-authenticatorselection-3">5.2.1. The authenticatorMakeCredential operation</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-makecredentialoptions-extensions">
   <b><a href="#dom-makecredentialoptions-extensions">#dom-makecredentialoptions-extensions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-makecredentialoptions-extensions-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-makecredentialoptions-extensions-2">(2)</a>
    <li><a href="#ref-for-dom-makecredentialoptions-extensions-3">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a>
    <li><a href="#ref-for-dom-makecredentialoptions-extensions-4">8.3. Extending request parameters</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialentity">
   <b><a href="#dictdef-publickeycredentialentity">#dictdef-publickeycredentialentity</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialentity-1">4.4. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialentity-2">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-dictdef-publickeycredentialentity-3">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialentity-4">4.5.1. Entity Description</a>
    <li><a href="#ref-for-dictdef-publickeycredentialentity-5">5.2.1. The authenticatorMakeCredential operation</a> <a href="#ref-for-dictdef-publickeycredentialentity-6">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialentity-id">
   <b><a href="#dom-publickeycredentialentity-id">#dom-publickeycredentialentity-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialentity-id-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-publickeycredentialentity-id-2">(2)</a> <a href="#ref-for-dom-publickeycredentialentity-id-3">(3)</a> <a href="#ref-for-dom-publickeycredentialentity-id-4">(4)</a>
    <li><a href="#ref-for-dom-publickeycredentialentity-id-5">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-dom-publickeycredentialentity-id-6">(2)</a> <a href="#ref-for-dom-publickeycredentialentity-id-7">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialentity-id-8">4.5.1. Entity Description</a>
    <li><a href="#ref-for-dom-publickeycredentialentity-id-9">5.2.1. The authenticatorMakeCredential operation</a> <a href="#ref-for-dom-publickeycredentialentity-id-10">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialentity-name">
   <b><a href="#dom-publickeycredentialentity-name">#dom-publickeycredentialentity-name</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialentity-name-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-publickeycredentialentity-name-2">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialentity-name-3">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-dom-publickeycredentialentity-name-4">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialentity-name-5">4.5.1. Entity Description</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialentity-icon">
   <b><a href="#dom-publickeycredentialentity-icon">#dom-publickeycredentialentity-icon</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialentity-icon-1">4.5.1. Entity Description</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-authenticatorselectioncriteria">
   <b><a href="#dictdef-authenticatorselectioncriteria">#dictdef-authenticatorselectioncriteria</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-authenticatorselectioncriteria-1">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-dictdef-authenticatorselectioncriteria-2">(2)</a>
    <li><a href="#ref-for-dictdef-authenticatorselectioncriteria-3">4.5.2. Authenticator Selection Criteria</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorselectioncriteria-attachment">
   <b><a href="#dom-authenticatorselectioncriteria-attachment">#dom-authenticatorselectioncriteria-attachment</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-attachment-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-attachment-2">4.5.2. Authenticator Selection Criteria</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-authenticatorselectioncriteria-requireresidentkey">
   <b><a href="#dom-authenticatorselectioncriteria-requireresidentkey">#dom-authenticatorselectioncriteria-requireresidentkey</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-requireresidentkey-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-authenticatorselectioncriteria-requireresidentkey-2">4.5.2. Authenticator Selection Criteria</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-attachment">
   <b><a href="#enumdef-attachment">#enumdef-attachment</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-attachment-1">4.5.2. Authenticator Selection Criteria</a> <a href="#ref-for-enumdef-attachment-2">(2)</a>
    <li><a href="#ref-for-enumdef-attachment-3">4.5.3. Credential Attachment enumeration (enum Attachment)</a> <a href="#ref-for-enumdef-attachment-4">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="platform-authenticators">
   <b><a href="#platform-authenticators">#platform-authenticators</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-platform-authenticators-1">4.5.3. Credential Attachment enumeration (enum Attachment)</a> <a href="#ref-for-platform-authenticators-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="roaming-authenticators">
   <b><a href="#roaming-authenticators">#roaming-authenticators</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-roaming-authenticators-1">1.1.3. Other use cases and configurations</a>
    <li><a href="#ref-for-roaming-authenticators-2">4.5.3. Credential Attachment enumeration (enum Attachment)</a> <a href="#ref-for-roaming-authenticators-3">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="platform-attachment">
   <b><a href="#platform-attachment">#platform-attachment</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-platform-attachment-1">4.5.3. Credential Attachment enumeration (enum Attachment)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="cross-platform-attached">
   <b><a href="#cross-platform-attached">#cross-platform-attached</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-cross-platform-attached-1">4.5.3. Credential Attachment enumeration (enum Attachment)</a> <a href="#ref-for-cross-platform-attached-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialrequestoptions">
   <b><a href="#dictdef-publickeycredentialrequestoptions">#dictdef-publickeycredentialrequestoptions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions-1">4.1.1. CredentialRequestOptions Extension</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions-2">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-dictdef-publickeycredentialrequestoptions-3">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialrequestoptions-4">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-challenge">
   <b><a href="#dom-publickeycredentialrequestoptions-challenge">#dom-publickeycredentialrequestoptions-challenge</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-challenge-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-challenge-2">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-challenge-3">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-timeout">
   <b><a href="#dom-publickeycredentialrequestoptions-timeout">#dom-publickeycredentialrequestoptions-timeout</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-timeout-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-timeout-2">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-timeout-3">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-rpid">
   <b><a href="#dom-publickeycredentialrequestoptions-rpid">#dom-publickeycredentialrequestoptions-rpid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-rpid-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-rpid-2">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-rpid-3">(3)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-rpid-4">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-rpid-5">9.1. FIDO AppId Extension (appid)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-allowlist">
   <b><a href="#dom-publickeycredentialrequestoptions-allowlist">#dom-publickeycredentialrequestoptions-allowlist</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowlist-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowlist-2">(2)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowlist-3">(3)</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-allowlist-4">(4)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-allowlist-5">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialrequestoptions-extensions">
   <b><a href="#dom-publickeycredentialrequestoptions-extensions">#dom-publickeycredentialrequestoptions-extensions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-extensions-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-dom-publickeycredentialrequestoptions-extensions-2">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialrequestoptions-extensions-3">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="typedefdef-authenticationextensions">
   <b><a href="#typedefdef-authenticationextensions">#typedefdef-authenticationextensions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-typedefdef-authenticationextensions-1">4.1. PublicKeyCredential Interface</a> <a href="#ref-for-typedefdef-authenticationextensions-2">(2)</a>
    <li><a href="#ref-for-typedefdef-authenticationextensions-3">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-typedefdef-authenticationextensions-4">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-typedefdef-authenticationextensions-5">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-typedefdef-authenticationextensions-6">(2)</a>
    <li><a href="#ref-for-typedefdef-authenticationextensions-7">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-typedefdef-authenticationextensions-8">(2)</a>
    <li><a href="#ref-for-typedefdef-authenticationextensions-9">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a> <a href="#ref-for-typedefdef-authenticationextensions-10">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-collectedclientdata">
   <b><a href="#dictdef-collectedclientdata">#dictdef-collectedclientdata</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-collectedclientdata-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dictdef-collectedclientdata-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dictdef-collectedclientdata-3">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a> <a href="#ref-for-dictdef-collectedclientdata-4">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-data">
   <b><a href="#client-data">#client-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-data-1">4.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-client-data-2">5. WebAuthn Authenticator model</a> <a href="#ref-for-client-data-3">(2)</a> <a href="#ref-for-client-data-4">(3)</a>
    <li><a href="#ref-for-client-data-5">5.1. Authenticator data</a> <a href="#ref-for-client-data-6">(2)</a>
    <li><a href="#ref-for-client-data-7">6.1. Registering a new credential</a>
    <li><a href="#ref-for-client-data-8">6.2. Verifying an authentication assertion</a>
    <li><a href="#ref-for-client-data-9">8. WebAuthn Extensions</a>
    <li><a href="#ref-for-client-data-10">8.4. Client extension processing</a>
    <li><a href="#ref-for-client-data-11">8.6. Example Extension</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-challenge">
   <b><a href="#dom-collectedclientdata-challenge">#dom-collectedclientdata-challenge</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-challenge-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge-3">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge-4">6.1. Registering a new credential</a>
    <li><a href="#ref-for-dom-collectedclientdata-challenge-5">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-origin">
   <b><a href="#dom-collectedclientdata-origin">#dom-collectedclientdata-origin</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-origin-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin-3">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin-4">6.1. Registering a new credential</a>
    <li><a href="#ref-for-dom-collectedclientdata-origin-5">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-hashalg">
   <b><a href="#dom-collectedclientdata-hashalg">#dom-collectedclientdata-hashalg</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-hashalg-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-hashalg-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-hashalg-3">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a> <a href="#ref-for-dom-collectedclientdata-hashalg-4">(2)</a>
    <li><a href="#ref-for-dom-collectedclientdata-hashalg-5">6.1. Registering a new credential</a>
    <li><a href="#ref-for-dom-collectedclientdata-hashalg-6">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-tokenbinding">
   <b><a href="#dom-collectedclientdata-tokenbinding">#dom-collectedclientdata-tokenbinding</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding-3">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding-4">6.1. Registering a new credential</a>
    <li><a href="#ref-for-dom-collectedclientdata-tokenbinding-5">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-clientextensions">
   <b><a href="#dom-collectedclientdata-clientextensions">#dom-collectedclientdata-clientextensions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-clientextensions-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-clientextensions-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-clientextensions-3">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-dom-collectedclientdata-clientextensions-4">6.1. Registering a new credential</a>
    <li><a href="#ref-for-dom-collectedclientdata-clientextensions-5">6.2. Verifying an authentication assertion</a>
    <li><a href="#ref-for-dom-collectedclientdata-clientextensions-6">8.4. Client extension processing</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-collectedclientdata-authenticatorextensions">
   <b><a href="#dom-collectedclientdata-authenticatorextensions">#dom-collectedclientdata-authenticatorextensions</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-collectedclientdata-authenticatorextensions-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-authenticatorextensions-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-collectedclientdata-authenticatorextensions-3">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-dom-collectedclientdata-authenticatorextensions-4">6.1. Registering a new credential</a>
    <li><a href="#ref-for-dom-collectedclientdata-authenticatorextensions-5">6.2. Verifying an authentication assertion</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="collectedclientdata-json-serialized-client-data">
   <b><a href="#collectedclientdata-json-serialized-client-data">#collectedclientdata-json-serialized-client-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-collectedclientdata-json-serialized-client-data-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-collectedclientdata-json-serialized-client-data-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-collectedclientdata-json-serialized-client-data-3">4.2. Authenticator Responses (interface AuthenticatorResponse)</a>
    <li><a href="#ref-for-collectedclientdata-json-serialized-client-data-4">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-collectedclientdata-json-serialized-client-data-5">(2)</a>
    <li><a href="#ref-for-collectedclientdata-json-serialized-client-data-6">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-collectedclientdata-json-serialized-client-data-7">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="collectedclientdata-hash-of-the-serialized-client-data">
   <b><a href="#collectedclientdata-hash-of-the-serialized-client-data">#collectedclientdata-hash-of-the-serialized-client-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-2">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-3">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-4">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-5">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-6">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-7">4.8.1. Client data used in WebAuthn signatures (dictionary CollectedClientData)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-8">5. WebAuthn Authenticator model</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-9">5.2.1. The authenticatorMakeCredential operation</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-10">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-11">5.2.2. The authenticatorGetAssertion operation</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-12">(2)</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-13">(3)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-14">5.3.2. Attestation Statement Formats</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-15">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-16">5.3.4. Generating an Attestation Object</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-17">6.1. Registering a new credential</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-18">7.2. Packed Attestation Statement Format</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-19">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-20">7.3. TPM Attestation Statement Format</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-21">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-22">7.4. Android Key Attestation Statement Format</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-23">(2)</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-24">7.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-25">7.6. FIDO U2F Attestation Statement Format</a> <a href="#ref-for-collectedclientdata-hash-of-the-serialized-client-data-26">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-publickeycredentialtype">
   <b><a href="#enumdef-publickeycredentialtype">#enumdef-publickeycredentialtype</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-publickeycredentialtype-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-enumdef-publickeycredentialtype-2">(2)</a>
    <li><a href="#ref-for-enumdef-publickeycredentialtype-3">4.3. Parameters for Credential Generation (dictionary PublicKeyCredentialParameters)</a>
    <li><a href="#ref-for-enumdef-publickeycredentialtype-4">4.8.2. Credential Type enumeration (enum PublicKeyCredentialType)</a>
    <li><a href="#ref-for-enumdef-publickeycredentialtype-5">4.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
    <li><a href="#ref-for-enumdef-publickeycredentialtype-6">5.2.1. The authenticatorMakeCredential operation</a> <a href="#ref-for-enumdef-publickeycredentialtype-7">(2)</a> <a href="#ref-for-enumdef-publickeycredentialtype-8">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialtype-public-key">
   <b><a href="#dom-publickeycredentialtype-public-key">#dom-publickeycredentialtype-public-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialtype-public-key-1">4.8.2. Credential Type enumeration (enum PublicKeyCredentialType)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-publickeycredentialdescriptor">
   <b><a href="#dictdef-publickeycredentialdescriptor">#dictdef-publickeycredentialdescriptor</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor-1">4.5. Options for Credential Creation (dictionary MakeCredentialOptions)</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor-2">(2)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor-3">4.6. Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions)</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor-4">(2)</a> <a href="#ref-for-dictdef-publickeycredentialdescriptor-5">(3)</a>
    <li><a href="#ref-for-dictdef-publickeycredentialdescriptor-6">4.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialdescriptor-transports">
   <b><a href="#dom-publickeycredentialdescriptor-transports">#dom-publickeycredentialdescriptor-transports</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-transports-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-dom-publickeycredentialdescriptor-transports-2">(2)</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-transports-3">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-dom-publickeycredentialdescriptor-transports-4">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialdescriptor-type">
   <b><a href="#dom-publickeycredentialdescriptor-type">#dom-publickeycredentialdescriptor-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-type-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-type-2">4.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-publickeycredentialdescriptor-id">
   <b><a href="#dom-publickeycredentialdescriptor-id">#dom-publickeycredentialdescriptor-id</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-id-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-dom-publickeycredentialdescriptor-id-2">4.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-transport">
   <b><a href="#enumdef-transport">#enumdef-transport</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-transport-1">4.8.3. Credential Descriptor (dictionary PublicKeyCredentialDescriptor)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-transport-usb">
   <b><a href="#dom-transport-usb">#dom-transport-usb</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-transport-usb-1">4.8.4. Credential Transport enumeration (enum ExternalTransport)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-transport-nfc">
   <b><a href="#dom-transport-nfc">#dom-transport-nfc</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-transport-nfc-1">4.8.4. Credential Transport enumeration (enum ExternalTransport)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-transport-ble">
   <b><a href="#dom-transport-ble">#dom-transport-ble</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-transport-ble-1">4.8.4. Credential Transport enumeration (enum ExternalTransport)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-data">
   <b><a href="#authenticator-data">#authenticator-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-data-1">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a> <a href="#ref-for-authenticator-data-2">(2)</a>
    <li><a href="#ref-for-authenticator-data-3">4.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)</a>
    <li><a href="#ref-for-authenticator-data-4">5. WebAuthn Authenticator model</a> <a href="#ref-for-authenticator-data-5">(2)</a>
    <li><a href="#ref-for-authenticator-data-6">5.1. Authenticator data</a> <a href="#ref-for-authenticator-data-7">(2)</a> <a href="#ref-for-authenticator-data-8">(3)</a> <a href="#ref-for-authenticator-data-9">(4)</a> <a href="#ref-for-authenticator-data-10">(5)</a> <a href="#ref-for-authenticator-data-11">(6)</a> <a href="#ref-for-authenticator-data-12">(7)</a> <a href="#ref-for-authenticator-data-13">(8)</a>
    <li><a href="#ref-for-authenticator-data-14">5.2.1. The authenticatorMakeCredential operation</a> <a href="#ref-for-authenticator-data-15">(2)</a>
    <li><a href="#ref-for-authenticator-data-16">5.2.2. The authenticatorGetAssertion operation</a> <a href="#ref-for-authenticator-data-17">(2)</a> <a href="#ref-for-authenticator-data-18">(3)</a> <a href="#ref-for-authenticator-data-19">(4)</a>
    <li><a href="#ref-for-authenticator-data-20">5.3. Credential Attestation</a> <a href="#ref-for-authenticator-data-21">(2)</a>
    <li><a href="#ref-for-authenticator-data-22">5.3.1. Attestation data</a>
    <li><a href="#ref-for-authenticator-data-23">5.3.2. Attestation Statement Formats</a> <a href="#ref-for-authenticator-data-24">(2)</a>
    <li><a href="#ref-for-authenticator-data-25">5.3.4. Generating an Attestation Object</a> <a href="#ref-for-authenticator-data-26">(2)</a> <a href="#ref-for-authenticator-data-27">(3)</a>
    <li><a href="#ref-for-authenticator-data-28">5.3.5.3. Attestation Certificate Hierarchy</a>
    <li><a href="#ref-for-authenticator-data-29">6.1. Registering a new credential</a> <a href="#ref-for-authenticator-data-30">(2)</a>
    <li><a href="#ref-for-authenticator-data-31">7.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data-32">8.5. Authenticator extension processing</a> <a href="#ref-for-authenticator-data-33">(2)</a>
    <li><a href="#ref-for-authenticator-data-34">8.6. Example Extension</a> <a href="#ref-for-authenticator-data-35">(2)</a>
    <li><a href="#ref-for-authenticator-data-36">9.6. User Verification Index Extension (uvi)</a>
    <li><a href="#ref-for-authenticator-data-37">9.7. Location Extension (loc)</a>
    <li><a href="#ref-for-authenticator-data-38">9.8. User Verification Method Extension (uvm)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatormakecredential">
   <b><a href="#authenticatormakecredential">#authenticatormakecredential</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatormakecredential-1">3. Terminology</a> <a href="#ref-for-authenticatormakecredential-2">(2)</a> <a href="#ref-for-authenticatormakecredential-3">(3)</a>
    <li><a href="#ref-for-authenticatormakecredential-4">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-authenticatormakecredential-5">(2)</a>
    <li><a href="#ref-for-authenticatormakecredential-6">5.2.3. The authenticatorCancel operation</a> <a href="#ref-for-authenticatormakecredential-7">(2)</a>
    <li><a href="#ref-for-authenticatormakecredential-8">8. WebAuthn Extensions</a>
    <li><a href="#ref-for-authenticatormakecredential-9">8.2. Defining extensions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorgetassertion">
   <b><a href="#authenticatorgetassertion">#authenticatorgetassertion</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorgetassertion-1">3. Terminology</a> <a href="#ref-for-authenticatorgetassertion-2">(2)</a> <a href="#ref-for-authenticatorgetassertion-3">(3)</a>
    <li><a href="#ref-for-authenticatorgetassertion-4">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-authenticatorgetassertion-5">(2)</a> <a href="#ref-for-authenticatorgetassertion-6">(3)</a>
    <li><a href="#ref-for-authenticatorgetassertion-7">5. WebAuthn Authenticator model</a>
    <li><a href="#ref-for-authenticatorgetassertion-8">5.1. Authenticator data</a>
    <li><a href="#ref-for-authenticatorgetassertion-9">5.2.3. The authenticatorCancel operation</a> <a href="#ref-for-authenticatorgetassertion-10">(2)</a>
    <li><a href="#ref-for-authenticatorgetassertion-11">8. WebAuthn Extensions</a>
    <li><a href="#ref-for-authenticatorgetassertion-12">8.2. Defining extensions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticatorcancel">
   <b><a href="#authenticatorcancel">#authenticatorcancel</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticatorcancel-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-authenticatorcancel-2">(2)</a> <a href="#ref-for-authenticatorcancel-3">(3)</a>
    <li><a href="#ref-for-authenticatorcancel-4">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-authenticatorcancel-5">(2)</a> <a href="#ref-for-authenticatorcancel-6">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-statement-format">
   <b><a href="#attestation-statement-format">#attestation-statement-format</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-statement-format-1">3. Terminology</a>
    <li><a href="#ref-for-attestation-statement-format-2">4.2.1. Information about Public Key Credential (interface AuthenticatorAttestationResponse)</a>
    <li><a href="#ref-for-attestation-statement-format-3">5.3.4. Generating an Attestation Object</a> <a href="#ref-for-attestation-statement-format-4">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-type">
   <b><a href="#attestation-type">#attestation-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-type-1">3. Terminology</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-data">
   <b><a href="#attestation-data">#attestation-data</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-data-1">5.1. Authenticator data</a> <a href="#ref-for-attestation-data-2">(2)</a> <a href="#ref-for-attestation-data-3">(3)</a> <a href="#ref-for-attestation-data-4">(4)</a> <a href="#ref-for-attestation-data-5">(5)</a> <a href="#ref-for-attestation-data-6">(6)</a> <a href="#ref-for-attestation-data-7">(7)</a>
    <li><a href="#ref-for-attestation-data-8">5.2.1. The authenticatorMakeCredential operation</a>
    <li><a href="#ref-for-attestation-data-9">5.2.2. The authenticatorGetAssertion operation</a>
    <li><a href="#ref-for-attestation-data-10">5.3. Credential Attestation</a> <a href="#ref-for-attestation-data-11">(2)</a>
    <li><a href="#ref-for-attestation-data-12">5.3.3. Attestation Types</a>
    <li><a href="#ref-for-attestation-data-13">6.1. Registering a new credential</a> <a href="#ref-for-attestation-data-14">(2)</a>
    <li><a href="#ref-for-attestation-data-15">7.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-attestation-data-16">7.4. Android Key Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-data-for-the-attestation">
   <b><a href="#authenticator-data-for-the-attestation">#authenticator-data-for-the-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-data-for-the-attestation-1">7.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data-for-the-attestation-2">7.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data-for-the-attestation-3">7.4. Android Key Attestation Statement Format</a> <a href="#ref-for-authenticator-data-for-the-attestation-4">(2)</a>
    <li><a href="#ref-for-authenticator-data-for-the-attestation-5">7.5. Android SafetyNet Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data-for-the-attestation-6">7.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-data-claimed-to-have-been-used-for-the-attestation">
   <b><a href="#authenticator-data-claimed-to-have-been-used-for-the-attestation">#authenticator-data-claimed-to-have-been-used-for-the-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-1">7.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-2">7.3. TPM Attestation Statement Format</a>
    <li><a href="#ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-3">7.4. Android Key Attestation Statement Format</a> <a href="#ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-4">(2)</a>
    <li><a href="#ref-for-authenticator-data-claimed-to-have-been-used-for-the-attestation-5">7.6. FIDO U2F Attestation Statement Format</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="basic-attestation">
   <b><a href="#basic-attestation">#basic-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-basic-attestation-1">5.3.5.1. Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="self-attestation">
   <b><a href="#self-attestation">#self-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-self-attestation-1">3. Terminology</a> <a href="#ref-for-self-attestation-2">(2)</a> <a href="#ref-for-self-attestation-3">(3)</a> <a href="#ref-for-self-attestation-4">(4)</a>
    <li><a href="#ref-for-self-attestation-5">5.3. Credential Attestation</a>
    <li><a href="#ref-for-self-attestation-6">5.3.5.2. Attestation Certificate and Attestation Certificate CA Compromise</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="privacy-ca">
   <b><a href="#privacy-ca">#privacy-ca</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-privacy-ca-1">5.3.5.1. Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="elliptic-curve-based-direct-anonymous-attestation">
   <b><a href="#elliptic-curve-based-direct-anonymous-attestation">#elliptic-curve-based-direct-anonymous-attestation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-elliptic-curve-based-direct-anonymous-attestation-1">5.3.5.1. Privacy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="ecdaa">
   <b><a href="#ecdaa">#ecdaa</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ecdaa-1">5.3.2. Attestation Statement Formats</a>
    <li><a href="#ref-for-ecdaa-2">5.3.3. Attestation Types</a>
    <li><a href="#ref-for-ecdaa-3">5.3.5.2. Attestation Certificate and Attestation Certificate CA Compromise</a>
    <li><a href="#ref-for-ecdaa-4">6.1. Registering a new credential</a>
    <li><a href="#ref-for-ecdaa-5">7.2. Packed Attestation Statement Format</a> <a href="#ref-for-ecdaa-6">(2)</a>
    <li><a href="#ref-for-ecdaa-7">7.3. TPM Attestation Statement Format</a> <a href="#ref-for-ecdaa-8">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="attestation-statement-format-identifier">
   <b><a href="#attestation-statement-format-identifier">#attestation-statement-format-identifier</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attestation-statement-format-identifier-1">5.3.2. Attestation Statement Formats</a>
    <li><a href="#ref-for-attestation-statement-format-identifier-2">5.3.4. Generating an Attestation Object</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="identifier-of-the-ecdaa-issuer-public-key">
   <b><a href="#identifier-of-the-ecdaa-issuer-public-key">#identifier-of-the-ecdaa-issuer-public-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-identifier-of-the-ecdaa-issuer-public-key-1">6.1. Registering a new credential</a>
    <li><a href="#ref-for-identifier-of-the-ecdaa-issuer-public-key-2">7.2. Packed Attestation Statement Format</a>
    <li><a href="#ref-for-identifier-of-the-ecdaa-issuer-public-key-3">7.3. TPM Attestation Statement Format</a> <a href="#ref-for-identifier-of-the-ecdaa-issuer-public-key-4">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="ecdaa-issuer-public-key">
   <b><a href="#ecdaa-issuer-public-key">#ecdaa-issuer-public-key</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-ecdaa-issuer-public-key-1">5.3.2. Attestation Statement Formats</a>
    <li><a href="#ref-for-ecdaa-issuer-public-key-2">5.3.5.1. Privacy</a>
    <li><a href="#ref-for-ecdaa-issuer-public-key-3">6.1. Registering a new credential</a>
    <li><a href="#ref-for-ecdaa-issuer-public-key-4">7.2. Packed Attestation Statement Format</a> <a href="#ref-for-ecdaa-issuer-public-key-5">(2)</a> <a href="#ref-for-ecdaa-issuer-public-key-6">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="registration-extension">
   <b><a href="#registration-extension">#registration-extension</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-registration-extension-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-registration-extension-2">8. WebAuthn Extensions</a> <a href="#ref-for-registration-extension-3">(2)</a> <a href="#ref-for-registration-extension-4">(3)</a> <a href="#ref-for-registration-extension-5">(4)</a> <a href="#ref-for-registration-extension-6">(5)</a> <a href="#ref-for-registration-extension-7">(6)</a>
    <li><a href="#ref-for-registration-extension-8">8.6. Example Extension</a>
    <li><a href="#ref-for-registration-extension-9">9.2. Simple Transaction Authorization Extension (txAuthSimple)</a>
    <li><a href="#ref-for-registration-extension-10">9.3. Generic Transaction Authorization Extension (txAuthGeneric)</a>
    <li><a href="#ref-for-registration-extension-11">9.4. Authenticator Selection Extension (authnSel)</a>
    <li><a href="#ref-for-registration-extension-12">9.5. Supported Extensions Extension (exts)</a>
    <li><a href="#ref-for-registration-extension-13">9.6. User Verification Index Extension (uvi)</a>
    <li><a href="#ref-for-registration-extension-14">9.7. Location Extension (loc)</a>
    <li><a href="#ref-for-registration-extension-15">9.8. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-registration-extension-16">10.2. WebAuthn Extension Identifier Registrations</a> <a href="#ref-for-registration-extension-17">(2)</a> <a href="#ref-for-registration-extension-18">(3)</a> <a href="#ref-for-registration-extension-19">(4)</a> <a href="#ref-for-registration-extension-20">(5)</a> <a href="#ref-for-registration-extension-21">(6)</a> <a href="#ref-for-registration-extension-22">(7)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authentication-extension">
   <b><a href="#authentication-extension">#authentication-extension</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authentication-extension-1">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-authentication-extension-2">8. WebAuthn Extensions</a> <a href="#ref-for-authentication-extension-3">(2)</a> <a href="#ref-for-authentication-extension-4">(3)</a> <a href="#ref-for-authentication-extension-5">(4)</a> <a href="#ref-for-authentication-extension-6">(5)</a> <a href="#ref-for-authentication-extension-7">(6)</a>
    <li><a href="#ref-for-authentication-extension-8">8.6. Example Extension</a>
    <li><a href="#ref-for-authentication-extension-9">9.1. FIDO AppId Extension (appid)</a>
    <li><a href="#ref-for-authentication-extension-10">9.2. Simple Transaction Authorization Extension (txAuthSimple)</a>
    <li><a href="#ref-for-authentication-extension-11">9.3. Generic Transaction Authorization Extension (txAuthGeneric)</a>
    <li><a href="#ref-for-authentication-extension-12">9.6. User Verification Index Extension (uvi)</a>
    <li><a href="#ref-for-authentication-extension-13">9.7. Location Extension (loc)</a>
    <li><a href="#ref-for-authentication-extension-14">9.8. User Verification Method Extension (uvm)</a>
    <li><a href="#ref-for-authentication-extension-15">10.2. WebAuthn Extension Identifier Registrations</a> <a href="#ref-for-authentication-extension-16">(2)</a> <a href="#ref-for-authentication-extension-17">(3)</a> <a href="#ref-for-authentication-extension-18">(4)</a> <a href="#ref-for-authentication-extension-19">(5)</a> <a href="#ref-for-authentication-extension-20">(6)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-extension">
   <b><a href="#client-extension">#client-extension</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-extension-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-client-extension-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-client-extension-3">4.7. Authentication Extensions (typedef AuthenticationExtensions)</a>
    <li><a href="#ref-for-client-extension-4">8. WebAuthn Extensions</a>
    <li><a href="#ref-for-client-extension-5">8.2. Defining extensions</a>
    <li><a href="#ref-for-client-extension-6">8.4. Client extension processing</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-extension">
   <b><a href="#authenticator-extension">#authenticator-extension</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-extension-1">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-authenticator-extension-2">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-authenticator-extension-3">4.7. Authentication Extensions (typedef AuthenticationExtensions)</a>
    <li><a href="#ref-for-authenticator-extension-4">8. WebAuthn Extensions</a> <a href="#ref-for-authenticator-extension-5">(2)</a> <a href="#ref-for-authenticator-extension-6">(3)</a>
    <li><a href="#ref-for-authenticator-extension-7">8.2. Defining extensions</a> <a href="#ref-for-authenticator-extension-8">(2)</a>
    <li><a href="#ref-for-authenticator-extension-9">8.3. Extending request parameters</a>
    <li><a href="#ref-for-authenticator-extension-10">8.5. Authenticator extension processing</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="extension-identifier">
   <b><a href="#extension-identifier">#extension-identifier</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-extension-identifier-1">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-extension-identifier-2">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a>
    <li><a href="#ref-for-extension-identifier-3">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a>
    <li><a href="#ref-for-extension-identifier-4">5.1. Authenticator data</a>
    <li><a href="#ref-for-extension-identifier-5">8. WebAuthn Extensions</a> <a href="#ref-for-extension-identifier-6">(2)</a>
    <li><a href="#ref-for-extension-identifier-7">8.2. Defining extensions</a>
    <li><a href="#ref-for-extension-identifier-8">8.3. Extending request parameters</a>
    <li><a href="#ref-for-extension-identifier-9">8.4. Client extension processing</a> <a href="#ref-for-extension-identifier-10">(2)</a>
    <li><a href="#ref-for-extension-identifier-11">8.5. Authenticator extension processing</a> <a href="#ref-for-extension-identifier-12">(2)</a>
    <li><a href="#ref-for-extension-identifier-13">8.6. Example Extension</a>
    <li><a href="#ref-for-extension-identifier-14">9.5. Supported Extensions Extension (exts)</a> <a href="#ref-for-extension-identifier-15">(2)</a>
    <li><a href="#ref-for-extension-identifier-16">9.7. Location Extension (loc)</a>
    <li><a href="#ref-for-extension-identifier-17">10.2. WebAuthn Extension Identifier Registrations</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-extension-input">
   <b><a href="#client-extension-input">#client-extension-input</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-extension-input-1">8. WebAuthn Extensions</a> <a href="#ref-for-client-extension-input-2">(2)</a> <a href="#ref-for-client-extension-input-3">(3)</a>
    <li><a href="#ref-for-client-extension-input-4">8.2. Defining extensions</a>
    <li><a href="#ref-for-client-extension-input-5">8.3. Extending request parameters</a> <a href="#ref-for-client-extension-input-6">(2)</a> <a href="#ref-for-client-extension-input-7">(3)</a> <a href="#ref-for-client-extension-input-8">(4)</a> <a href="#ref-for-client-extension-input-9">(5)</a> <a href="#ref-for-client-extension-input-10">(6)</a>
    <li><a href="#ref-for-client-extension-input-11">8.4. Client extension processing</a> <a href="#ref-for-client-extension-input-12">(2)</a> <a href="#ref-for-client-extension-input-13">(3)</a> <a href="#ref-for-client-extension-input-14">(4)</a>
    <li><a href="#ref-for-client-extension-input-15">8.6. Example Extension</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-extension-input">
   <b><a href="#authenticator-extension-input">#authenticator-extension-input</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-extension-input-1">8. WebAuthn Extensions</a> <a href="#ref-for-authenticator-extension-input-2">(2)</a> <a href="#ref-for-authenticator-extension-input-3">(3)</a> <a href="#ref-for-authenticator-extension-input-4">(4)</a> <a href="#ref-for-authenticator-extension-input-5">(5)</a>
    <li><a href="#ref-for-authenticator-extension-input-6">8.2. Defining extensions</a>
    <li><a href="#ref-for-authenticator-extension-input-7">8.3. Extending request parameters</a> <a href="#ref-for-authenticator-extension-input-8">(2)</a> <a href="#ref-for-authenticator-extension-input-9">(3)</a>
    <li><a href="#ref-for-authenticator-extension-input-10">8.4. Client extension processing</a>
    <li><a href="#ref-for-authenticator-extension-input-11">8.5. Authenticator extension processing</a> <a href="#ref-for-authenticator-extension-input-12">(2)</a> <a href="#ref-for-authenticator-extension-input-13">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-extension-processing">
   <b><a href="#client-extension-processing">#client-extension-processing</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-extension-processing-1">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-client-extension-processing-2">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-client-extension-processing-3">(2)</a>
    <li><a href="#ref-for-client-extension-processing-4">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-client-extension-processing-5">(2)</a>
    <li><a href="#ref-for-client-extension-processing-6">8. WebAuthn Extensions</a> <a href="#ref-for-client-extension-processing-7">(2)</a> <a href="#ref-for-client-extension-processing-8">(3)</a> <a href="#ref-for-client-extension-processing-9">(4)</a>
    <li><a href="#ref-for-client-extension-processing-10">8.2. Defining extensions</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="client-extension-output">
   <b><a href="#client-extension-output">#client-extension-output</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-client-extension-output-1">4.1. PublicKeyCredential Interface</a>
    <li><a href="#ref-for-client-extension-output-2">4.1.3. Create a new credential - PublicKeyCredential’s \[[Create]](options) method</a> <a href="#ref-for-client-extension-output-3">(2)</a>
    <li><a href="#ref-for-client-extension-output-4">4.1.4. Use an existing credential - PublicKeyCredential::[[DiscoverFromExternalSource]](options) method</a> <a href="#ref-for-client-extension-output-5">(2)</a>
    <li><a href="#ref-for-client-extension-output-6">8. WebAuthn Extensions</a> <a href="#ref-for-client-extension-output-7">(2)</a> <a href="#ref-for-client-extension-output-8">(3)</a>
    <li><a href="#ref-for-client-extension-output-9">8.2. Defining extensions</a> <a href="#ref-for-client-extension-output-10">(2)</a> <a href="#ref-for-client-extension-output-11">(3)</a>
    <li><a href="#ref-for-client-extension-output-12">8.4. Client extension processing</a> <a href="#ref-for-client-extension-output-13">(2)</a> <a href="#ref-for-client-extension-output-14">(3)</a>
    <li><a href="#ref-for-client-extension-output-15">8.6. Example Extension</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-extension-processing">
   <b><a href="#authenticator-extension-processing">#authenticator-extension-processing</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-extension-processing-1">8. WebAuthn Extensions</a>
    <li><a href="#ref-for-authenticator-extension-processing-2">8.2. Defining extensions</a>
    <li><a href="#ref-for-authenticator-extension-processing-3">8.5. Authenticator extension processing</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="authenticator-extension-output">
   <b><a href="#authenticator-extension-output">#authenticator-extension-output</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-authenticator-extension-output-1">5.1. Authenticator data</a>
    <li><a href="#ref-for-authenticator-extension-output-2">8. WebAuthn Extensions</a> <a href="#ref-for-authenticator-extension-output-3">(2)</a> <a href="#ref-for-authenticator-extension-output-4">(3)</a>
    <li><a href="#ref-for-authenticator-extension-output-5">8.2. Defining extensions</a> <a href="#ref-for-authenticator-extension-output-6">(2)</a> <a href="#ref-for-authenticator-extension-output-7">(3)</a>
    <li><a href="#ref-for-authenticator-extension-output-8">8.4. Client extension processing</a>
    <li><a href="#ref-for-authenticator-extension-output-9">8.5. Authenticator extension processing</a>
    <li><a href="#ref-for-authenticator-extension-output-10">8.6. Example Extension</a>
    <li><a href="#ref-for-authenticator-extension-output-11">9.5. Supported Extensions Extension (exts)</a>
    <li><a href="#ref-for-authenticator-extension-output-12">9.6. User Verification Index Extension (uvi)</a>
    <li><a href="#ref-for-authenticator-extension-output-13">9.7. Location Extension (loc)</a>
    <li><a href="#ref-for-authenticator-extension-output-14">9.8. User Verification Method Extension (uvm)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="typedefdef-authenticatorselectionlist">
   <b><a href="#typedefdef-authenticatorselectionlist">#typedefdef-authenticatorselectionlist</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-typedefdef-authenticatorselectionlist-1">9.4. Authenticator Selection Extension (authnSel)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="typedefdef-aaguid">
   <b><a href="#typedefdef-aaguid">#typedefdef-aaguid</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-typedefdef-aaguid-1">9.4. Authenticator Selection Extension (authnSel)</a>
   </ul>
  </aside>
<script>/* script-dfn-panel */

        document.body.addEventListener("click", function(e) {
            var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); }
            // Find the dfn element or panel, if any, that was clicked on.
            var el = e.target;
            var target;
            var hitALink = false;
            while(el.parentElement) {
                if(el.tagName == "A") {
                    // Clicking on a link in a <dfn> shouldn't summon the panel
                    hitALink = true;
                }
                if(el.classList.contains("dfn-paneled")) {
                    target = "dfn";
                    break;
                }
                if(el.classList.contains("dfn-panel")) {
                    target = "dfn-panel";
                    break;
                }
                el = el.parentElement;
            }
            if(target != "dfn-panel") {
                // Turn off any currently "on" or "activated" panels.
                queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){
                    el.classList.remove("on");
                    el.classList.remove("activated");
                });
            }
            if(target == "dfn" && !hitALink) {
                // open the panel
                var dfnPanel = document.querySelector(".dfn-panel[data-for='" + el.id + "']");
                if(dfnPanel) {
                    console.log(dfnPanel);
                    dfnPanel.classList.add("on");
                    var rect = el.getBoundingClientRect();
                    dfnPanel.style.left = window.scrollX + rect.right + 5 + "px";
                    dfnPanel.style.top = window.scrollY + rect.top + "px";
                    var panelRect = dfnPanel.getBoundingClientRect();
                    var panelWidth = panelRect.right - panelRect.left;
                    if(panelRect.right > document.body.scrollWidth && (rect.left - (panelWidth + 5)) > 0) {
                        // Reposition, because the panel is overflowing
                        dfnPanel.style.left = window.scrollX + rect.left - (panelWidth + 5) + "px";
                    }
                } else {
                    console.log("Couldn't find .dfn-panel[data-for='" + el.id + "']");
                }
            } else if(target == "dfn-panel") {
                // Switch it to "activated" state, which pins it.
                el.classList.add("activated");
                el.style.left = null;
                el.style.top = null;
            }

        });
        </script>
